Securing Citrix with SSL VPN Technology



Similar documents
Citrix Access on SonicWALL SSL VPN

VMWARE VIEW WITH JUNIPER NETWORKS SA SERIES SSL VPN APPLIANCES

SECURE ACCESS TO THE VIRTUAL DATA CENTER

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

What s New in Juniper s SSL VPN Version 6.0

PRODUCT CATEGORY BROCHURE

PRODUCT CATEGORY BROCHURE. Juniper Networks SA Series

How To Understand The Architecture Of An Ulteo Virtual Desktop Server Farm

SSL VPN Server Guide Access Manager 3.1 SP5 January 2013

SSL VPN Technical Primer

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Novell Access Manager SSL Virtual Private Network

Citrix Access Gateway

Dell SonicWALL SRA 7.5 Citrix Access

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

A Guide to New Features in Propalms OneGate 4.0

IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. 1

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

Secure remote access to your applications and data. Secure Application Access

Expanding the Value of the Windows Terminal Server Investment. HOBLink JWT HOB Enhanced Terminal Services

SCENARIO EXAMPLE. Case study of an implementation of Swiss SafeLab M.ID with Citrix. Redundancy and Scalability

2003, Rainbow Technologies, Inc.

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Citrix MetaFrame XP Security Standards and Deployment Scenarios

How To Configure SSL VPN in Cyberoam

Interwise Connect. Working with Reverse Proxy Version 7.x

WHITE PAPER Citrix Secure Gateway Startup Guide

SSL VPN Server Guide. Access Manager 4.0. November 2013

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

Introduction to Endpoint Security

Deploying NetScaler Gateway in ICA Proxy Mode

Java Secure Application Manager

SSL SSL VPN

Barracuda SSL VPN Administrator s Guide

Barracuda Networks Technical Documentation. Barracuda SSL VPN. Administrator s Guide. Version 2.x RECLAIM YOUR NETWORK

2X ApplicationServer & LoadBalancer Manual

Secure, Mobile Access to Corporate , Applications, and Intranet Resources

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

FileCloud Security FAQ

Deliver Secure and Fast Remote Access to Anyone from Any Device

2X ApplicationServer & LoadBalancer Manual

Proof of Concept Guide

Citrix Receiver for Mobile Devices Troubleshooting Guide

Release Version 4.1 The 2X Software Server Based Computing Guide

CNS Implementing NetScaler 11.0 For App and Desktop Solutions

SSL VPN A look at UCD through the tunnel

Pass Through Proxy. How-to. Overview:..1 Why PTP?...1

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Mobile Access R Administration Guide. 13 August Classification: [Protected]

Setup Guide Access Manager Appliance 3.2 SP3

Propalms TSE Deployment Guide

F5 BIG-IP: Configuring v11 Access Policy Manager APM

Release Version 3 The 2X Software Server Based Computing Guide

AnyConnect VPN Client FAQ

WHITEPAPER IPSEC VPN Vs. SSL VPN

Get Success in Passing Your Certification Exam at first attempt!

2X ApplicationServer & LoadBalancer & VirtualDesktopServer Manual

Delivering SSL VPN Remote Access without Compromising Security Connectra: Providing a diverse set of solutions for different remote access challenges

Clientless SSL VPN Users

Microsoft Terminal Server and Citrix Presentation Server Deployment Environments

Introduction to the EIS Guide

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

VIRTUAL DESKTOP I SOLUTIONS

CNS-207 Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

Leostream Corporation leostream.com Share this Whitepaper!

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Edge Gateway for Layered Security and Acceleration Services

Implementing PCoIP Proxy as a Security Server/Access Point Alternative

Remote Application Server Version 14. Last updated:

Licenses are not interchangeable between the ISRs and NGX Series ISRs.

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Cisco Adaptive Security Appliance Smart Tunnels Solution Brief

Communication Ports Used by Citrix Technologies. April 2011 Version 1.5

Enterprise Solution for Remote Desktop Services System Administration Server Management Server Management (Continued)...

How To Use Netscaler As An Afs Proxy

Secure Gateway for Windows Administrator s Guide. Secure Gateway for Windows

ViPNet ThinClient 3.3. Quick Start

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

NetSpective Global Proxy Configuration Guide

Stealth OpenVPN and SSH Tunneling Over HTTPS

Setting Up Scan to SMB on TaskALFA series MFP s.

INTRODUCING KERIO WINROUTE FIREWALL

DIGIPASS Authentication for Check Point Security Gateways

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Citrix MetaFrame Presentation Server 3.0 and Microsoft Windows Server 2003 Value Add Feature Guide

Communication ports used by Citrix Technologies. July 2011 Version 1.5

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

A new Secure Remote Access Platform from Giritech. Page 1

Investment Management System. Connectivity Guide. IMS Connectivity Guide Page 1 of 11

For more information refer: UTM - FAQ: What are the basics of SSLVPN setup on Gen5 UTM appliances running SonicOS Enhanced 5.2?

Setup Guide Access Manager 3.2 SP3

Transcription:

Securing Citrix with SSL VPN Technology An AEP Networks Solution Summary For years, Citrix Systems has dominated the server-based computing market as the solution of choice for application access across the enterprise. Citrix Presentation Server (formerly MetaFrame) delivers a scalable, comprehensive solution that yields unequivocal dividends. However, securing Presentation Server resources particularly for access beyond the LAN - remains a central challenge. Historically, Citrix administrators have had few options when implementing remote access to Citrix Presentation Server applications, beyond Citrix s resource- and server-intensive Secure Gateway for MetaFrame (Citrix Secure Gateway) software. Recently, Citrix has taken another stab at security by offering an acquired appliance called Citrix Access Gateway (CAG). While CAG is a decided step forward in terms of deployment and manageability, in truth the CAG appliance is lacking in flexibility and security features. For example, CAG was eliminated from Network World s December 2005 SSL VPN testing for its lack of web reverse proxy technology, a key requirement for secure, clientless application access. The product lacks third party security validation and accreditations, such as Federal Information Processing Standards (FIPS), ICSA Labs Secure Socket Layer - Transport Layer Security (SSL-TLS), and the Virtual Private Network Consortium (VPNC). CAG is also designed for Citrix applications, and does not support the variety of applications typically required for business users. For many organizations, CAG does not represent a true enterprise-class remote access solution. SSL VPNs offer a broader, more encompassing approach, providing crucial network security for Presentation Server as well as other application environments while adding important features unavailable with CAG. This paper describes the drawbacks associated with CAG and presents the AEP Netilla Security Platform, an SSL VPN from AEP Networks, as the best-of-breed alternative for simple, secure access to Citrix Presentation Server. Citrix Access Gateway Overview CAG, a 1U rack-mounted appliance, is designed as an access platform for Citrix-only environments. From an implementation perspective CAG is a much less complicated solution than its predecessor Citrix Secure Gateway, a software product requiring 2-4 servers to implement and significant effort to deploy and maintain. However, CAG is far from a total remote access solution: CAG lacks key security capabilities: Does not employ proxies - Relies on tunneling only creates an end-end connection that is much less secure. No industry certifications (FIPS, ICSA, and VPNC). Limited policy enforcement: No group information retrieved from ActiveDirectory or LDAP No stateful packet inspection (SPI) firewall

CAG lacks key functionality capabilities: Limited growth options: Cannot be securely extended to non-citrix applications (web-based, Linux, mainframe, or native Windows Terminal Services) Requires a full or ActiveX Windows client and administration rights on the remote user s PC. Confusing for end users: Requires multiple clicks to access Citrix applications Lacks authentication options (e.g. no client side certificates with revocation, no device identification, no embedded 2-factor server). Complicated deployment/management Requires Web Interface and a Secure Ticket Authority configured on the private network - lacks browser-based administration Poor reporting: While CAG supports standard Syslog/SNMP management, it is limited to failover and external load balancing SSL VPNs: A Better Approach SSL VPNs provide a much higher level of security compared to CAG, while adding a range of features that allow companies to extend their Citrix infrastructure with a surprising level of ease. The AEP Netilla Security Platform (NSP), for example, enhances Citrix with an icon-driven webtop with auto launch capabilities, an embedded 2-factor authentication server, server load balancing, session timeouts, robust reporting and logging, forced re-authentication, and client machine identification. The NSP provides this functionality through a powerful realms-based policy framework, allowing organizations to create customized policy enforcement containers depending on the access environment. For example, some users may require the full Outlook client via Citrix while others access Outlook Web Access through a reverse proxy. Road warriors who work from kiosks need endpoint integrity scans, while others must be limited to corporate-issued PCs only. A single NSP supports all these requirements to suit the assorted access needs of the enterprise. Securing Presentation Server Directly with the AEP Netilla Security Platform (NSP) For organizations that prefer to use the native Citrix ICA client, the NSP utilizes AEP s Intelligent Port Forwarding technology. As shown in Figure 1, this technique automatically delivers a Java client that sits on a remote Windows machine and looks for the TCP port that Presentation Server applications use. As soon as data starts to flow, the Port Forwarder Java client encapsulates and encrypts all the traffic in SSL and forwards it to the NSP gateway, where it can be deciphered and delivered to a Citrix Presentation Server. Figure 1: Port Forwarding the ICA Client (ActiveX, Java, Win32)

Once the user logs in to the NSP (via the authentication protocol used for the network), the NSP pulls the authorized applications that have been defined on the Citrix servers, and publishes icons for these applications directly onto the NSP s unified webtop. These Citrix icons are presented along with all the resources defined for that user (Web, Linux, mainframe or native Windows Terminal Server applications, as well as file shares). Alternatively, the NSP can be configured to auto-launch Citrix applications directly from the NSP s initial login screen. As an added benefit, updates made to Citrix applications by administrators are automatically reflected in the user s webtop, eliminating additional Administrator intervention. When a Citrix application is requested by the end user (either via clicking an icon or via the NSP s application auto-launch), the NSP checks to see if an ICA client is already resident on the user s computer; if not, it will package a Java applet containing the Citrix ICA client (Java or ActiveX) and install the client on the user s PC. Admin rights are not required for this process, nor are hosts file edits on the user s PC. This means that end users must only click an icon or log into the appliance to access Citrix applications; the NSP provides the appropriate client seamlessly and without administrative hassles. The NSP will publish any Citrix application a Windows desktop, full program neighborhood, or single Citrix application while standard Citrix printing and all other Presentation Server services such as Seamless Windows and load balancing are fully supported. Of note: The NSP provides access directly to the Presentation Servers themselves (without requiring Citrix Secure Gateway or Citrix Web Interface), further cutting costs and management. From an administrator s perspective, deploying Presentation Server via the NSP is a single-admin screen process: NSP administrators enter the IP or Hostname of a Citrix server running the XML service OR the host/ip of the SSL Relay The Admin selects standard options (application icon to display, server address, default ICA client to deliver, etc.) Admin selects users or groups (ActiveDirectory or LDAP) allowed to run the application set Option Two: Using AEP NSP Thin Proxy As an alternative to Intelligent Port Forwarding, the NSP offers an embedded thin-client proxy. In this arrangement, the NSP generates a proxy or representation of the application, so remote users can access different applications through native protocols such as Remote Desktop Protocol (RDP) data for Windows-based applications. Figure 2: Thin Client Proxy for Windows and Citrix Applications

As shown in Figure 2, the NSP intermediates the connection between remote-client requests and the network-based application server, terminating incoming SSL connections at the application layer in the NSP appliance, located in the DMZ. Once the incoming request is terminated, the NSP translates the data to the appropriate application protocol, such as RDP for the Terminal Server/Citrix server. During this termination period the NSP is able to apply security policy, functioning as a gatekeeper between the Internet and the private network. It is this crucial security benefit that distinguishes the NSP from competitors. In this application-layer proxy model, the end user never directly connects to a private side network resource; instead, the NSP functions as a proxy, protecting application servers from direct Internet exposure. Capping Citrix with NSP Thin Proxy Another benefit of NSP Thin Proxy technology accrues from simplifying the organization s use of Citrix. For example, even if an organization relies on Citrix for the LAN, remote users can leverage AEP Thin technology to talk RDP to the Citrix server, because Citrix is a service that runs on Windows Terminal Server. In this way, the NSP enables an organization to cap its Citrix deployment and instead deploy AEP thin-client technology to remote users, who access the same applications that they use in the office, rather than having to expand Citrix further. Or, organizations might prefer to make some Citrix applications available via Port Forwarding and others available via AEP s thin proxy. Both scenarios are possible in the same NSP, and in the same user s session, using AEP V- Realms. Secure ALL Business Application with a Single Appliance In addition to Port Forwarding and Thin proxy, the NSP also rewrites HTTP requests for web-based applications, allowing internal DNS addresses that do not resolve publicly to be accessed securely over the Internet. Company Web servers remain safe behind the firewall, in a highly secure portion of the private network, without the cost and maintenance of locking each server down for public access, while administrators gain granular access control to directories, servers, and paths on a user or group basis. Rounding out the NSP s access modes is Layer 3 (network-layer) tunneling for client/server-based applications, as well as a Java-based files browser with client drive mapping and drag, drop, copy and paste functionality.

Comparing the Approaches Citrix Access Gateway (CAG) AEP Netilla Security Platform (NSP) Access product Secure access product Citrix-focused access only lacks proxies Lacks third-party accreditation (no FIPS, ICSA, VPNC) Intrusive client-side install required required Admin rights on local PC Complex network deployment: Requires Web Interface and Secure Ticket Authority Provides end-to-end connections or tunnels Complicated management and configuration Conclusion: The Most Versatile SSL VPN Available NSP supports tunneling, Citrix, WTS, Linux as well as Web applications via more secure proxy technology Highly security focused (FIPS, ICSA, VPNC tested and approved) Non-intrusive end user deployment: NO Admin rights or hosts file edits on the local PC Much simpler: Direct communication from NSP to Presentation Server(s) in the private network Provides proxies to protect applications Simple to deploy and manage: Single-screen setup Trivial, limited authentication models V-realms containers for authentication, policy Complex for end users Multi-step end user access process Citrix apps published right in the user s portal one-click access to Citrix applications Single Sign On (SSO) capability via secure storage of credentials in session-based tokens for forwarding into applications Application autolaunch option Typical Citrix remote printing hassles Universal print driver for printing locally to ANY printer Supports third-party 2-Factor only Integrated VASCO 2-Factor authentication server eliminates extra hardware purchase or Citrix infrastructure changes. NSP also supports all third-party 2-Factor solutions from RSA, Aladdin, and others. In the final analysis, SSL VPNs offer tremendous value as secure application gateways, offering a far simpler, safer, and less costly approach than the CAG alternative. The result is a powerful tool - one that delivers a best-of-breed solution that maximizes an organizations application investment, while protecting the company s critical business assets. Try an Online Demo See for yourself: Visit http://www.aepnetworks.com/demo and see how easy secure access to Citrix can be. Contact AEP Networks info@aepnetworks.com www.aepnetworks.com U.S: 877-652-5200 x5207 EMEA: +44 (0) 1442 458 640 Japan: +81-3-3432-3336 Hong Kong: +852 8199 0104

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information