cag network
TRANSCRIPT
-
8/19/2019 CAG Network
1/56
Citrix Access GatewayAdvanced Edition
Technical OverviewSeceidos GmbH&Co. KG
Robert Hochrein
-
8/19/2019 CAG Network
2/56
Agenda
O'er'ie(
Citri" %ccess Gate(ay %d'anced )dition
*eat+re & ,ene-its
%rchitect+re
-
8/19/2019 CAG Network
3/56
Endpoint security,identification, andintegrity validation
The Customer Problems
Centralied accesscontrol to all !T
resources
"ecure and#ardened
Control over howinformation and
applications can
be used
!nternet
$obile P%A
#ome Computer
Partners
& i r e w a l l
&ile "ervers
'eb or App "ervers
CP" Applications(ocal )sers
%ccessGate(ay
a//liance
%d'anced %ccess
Controlser'er
Corporate (aptop
Email "ervers
%es*tops + Phones
& i r e w a l l
Consistent userexperience
Consistent user experience
0 andwidth0 (atency0 %evice
idiosyncrasies
Cannot accessfrom behindfirewalls
Access fromwidely varyingdevices
$inimie re-authentication onre-connect
.eed access toall internal !Tresources
-
8/19/2019 CAG Network
4/56
Citrix Access Gateway
0 )niversal ""( /P.s /ro'idin access to all internal Ireso+rces# incl+din IP tele/hony
0 #ardened, scalable a//liances
0Easy-to-use# a+tomatically do(nloaded and +/datedclient
0 Controlled access (ith administrator3de-ined /olicies
0 Tight integration (ith Citri" Presentation Ser'er
-
8/19/2019 CAG Network
5/56
Citrix Access GatewaySS4 5P6 Remote %ccess
%ccessGate(ay
"tandardEdition
best -or Small3to37idsi8ed
C+stomers
Sim/le and Cost)--ecti'e Sec+reRemote %ccess
%ccessGate(ay
AdvancedEdition
best -or Presentation Ser'er
)n'ironments
%d'anced %ccessControl and 9e'ice*le"ibility
%ccessGate(ay
EnterpriseEdition
best -or )nter/rise
9e/loyments
Com/le" and9emandin)n'ironments
-
8/19/2019 CAG Network
6/56
Agenda
O'er'ie(
Citri" %ccess Gate(ay %d'anced )dition
*eat+re & ,ene-its
%rchitect+re
-
8/19/2019 CAG Network
7/56
%ccessGate(ay
"tandardEdition
%ccessGate(ay
AdvancedEdition
0 Tight information control0
0 Granular policy based Access 1"martAccess2
0 Granular control of CP" apps 1action rights2
0 Customiable End Point Analysis
0 rowser-Only Access 1e3g3 no clients2
0 P%A and $obile %evice "upport
Access Gateway Advanced Edition
$odel 4555
-
8/19/2019 CAG Network
8/56
-
8/19/2019 CAG Network
9/56
Agenda
O'er'ie(
Citri" %ccess Gate(ay %d'anced )dition
*eat+re & ,ene-its
%rchitect+re
-
8/19/2019 CAG Network
10/56
Access Gateway Advanced Edition&eatures + enefits
&eature &unction enefit
Policy-based Access andAction 6ights Control
%etect and adapt policies based onaccess scenario to control the flow ofthe organiation7s sensitive data
0 Granular access controls
0 !ntellectual property protection
0 Extend user7s access to moresituations
0 Enhances security withouteffecting the user experience
Endpoint Analysis %etermines client device status foraccess policies and provides deviceremediation3
0 Enables corporate and regulatorycompliance
0 Extensible with industry standarddevelopment tools to meetcustomer needs
rowser-only Access Access with any web browser on anydevice to web sites, files, and email
0 .o additional client components
0 )bi8uitous access
$obile %evice Awareness 6e-factored email and file interface forP%As and small-form factor devices 0 "eamless device transition0 )ser productivity
Extended Access Controlfor Presentation "erver
Policy-based control of Presentation"erver using end-point analysis andnetwor* location awareness
0 Address regulatory and securityconcerns
0 Enhances 'eb !nterface
Centralied (ogging andTrend 6eporting
Provide sophisticated usage data fortroubleshooting and planning
0 !mproved management
0 Easy integration with 9rd party tools
-
8/19/2019 CAG Network
11/56
&inding the 6ight alance
Access
0 %ny(here# %nytime
%-ter (or? ho+rs
9+rin o--ice clos+res
On the road
0 %ccess to alla//lications
0 %ccess is trans/arent
0 %ccess -rom any de'ice
!nformation "ecurity
0 Protection o- criticalsystems
9enial o- ser'ice )"/os+re to mal(are
0 Intellect+al /ro/erty control
0 %ddress re+latory
com/liance0 Ris? mitiation
0 Practical and cost3e--ecti'e
-
8/19/2019 CAG Network
12/56
"martAccess Technology
)"tensi'e policy-based sense and res/onse
%+tomatically recon-i+res the a//ro/riate le'el o- accessas +sers roam between devices# locations andconnections
%d'anced# e"tensible end-point security /olicies andanalysis
Action 6ights Control de-ines (hat the +ser can access#
and (hat actions they can ta?e
-
8/19/2019 CAG Network
13/56
Granular Controls
0 *ile Pre'ie(
0 eb )3mail
0 ControlledPresentationSer'er
%ccess
0 *ile 9o(nload
0 4ocal )dit and Sa'e
0 *ile U/load
0 )3mail Sync
0 eb )3mail
0 *+ll Presentation Ser'er %ccess
0 *+ll Presentation Ser'er %// Set
0 )dit in 7emory0 4imited Presentation Ser'er accessDread3only local dri'e ma//inE
0 4imited Presentation Ser'era//lication set
0 *ile Pre'ie(
0 *ile U/load
0 )3mail Sync
0 eb )3mail
Corporate %es*top
6emote Corporate %evice
Public :ios*
-
8/19/2019 CAG Network
14/56
Elements of "martAccess
Analye Endpoint + Connection Apply Access Control
$achine !dentity00 6et,IOS name0
9omain 7embershi/0 7%C address $achine Configuration
0 O/eratin System0 %nti35ir+s System0 Personal *ire(all
.etwor* ;one Authentication $ethod
&ull download of documents Preview documents with #T$(
0 %ccess -rom P9%s0 6o 'ie(er a// on client Attach to email
0 %'oid transmission to client /irtualied Applications
0 Control a//lications0 4imit local ma//ed dri'es
Apply Action 6ights Control
""(-/P.s
CP" applications &ile + networ* shares
'eb based email 'eb sites 1)6(s2 'eb applications Email synchroniation Client
-
8/19/2019 CAG Network
15/56
Access "cenario0Corporate )sers from a #otel
!nternet
Partner $achine
& i r e w a l l
& i r e w a l l
&ile "ervers
'eb or App "ervers
CP" Applications
Email "ervers
%es*tops + Phones
O:
0 %ownload and Access !nformation0
0 &ull download0 %ownload to memory only0 Access via CP" only0 Preview in #T$( only
0 Edit and "ave Changes00 "ave locally0 "ave only to networ*0 "ave disabled
0 Print0 Print locally0 Print to selected printers only0 Printing disabled
0 CP" Applications
$obile P%A
#ome Computer
Corporate (aptop
Access
Gatewayappliance
Advanced Access
Control server
-
8/19/2019 CAG Network
16/56
Access "cenario0Corporate )sers from #ome
!nternet
$obile P%A
#ome Computer
Partner $achine
& i r e w a l l
& i r e w a l l
&ile "ervers
'eb or App "ervers
CP" Applications
Access
Gatewayappliance
Corporate (aptop
Email "ervers
%es*tops + Phones
O:
Advanced Access
Control server
0 %ownload and Access !nformation0
0 &ull download0 %ownload to memory only0 Access via CP" only0 Preview in #T$( only
0 Edit and "ave Changes00 "ave locally0 "ave only to networ*0 "ave disabled
0 Print0 Print locally0 Print to selected printers only0 Printing disabled
0 CP" Applications
-
8/19/2019 CAG Network
17/56
Policy Configuration
0 9e-ine reso+rces (hich can be accessed and 'ie(ed by +sers
0 S+//orted reso+rce ty/esF
*ile shares
eb sites
5P6 net(or? access
)mail sync
eb3based email
-
8/19/2019 CAG Network
18/56
Policy Configuration
0 Policies are -irst de-ined by the reso+rces (hich they e--ect
0 %dministrators may m+lti3select reso+rces
-
8/19/2019 CAG Network
19/56
Policy Configuration
0 Policies de-ine the /ermissions (hich a//ly to the selectedreso+rces
0 %dministrators set /ermissions based on reso+rce ty/e
0 Policies canF
Grant %ccess
9eny
S/eci-y ho( a +ser can access a reso+rce
-
8/19/2019 CAG Network
20/56
Policy Configuration
0 Policies can be de-ined to only a//ly +nder certain scenarios
0 *ilters de-ine scenarios
-
8/19/2019 CAG Network
21/56
Policy Configuration
0 *ilters can +se a n+mber o- criteria incl+dinF
Ho( the +ser a+thenticated
Users net(or? location
Res+lts o- end/oint analysis
Client certi-icate +eries
-
8/19/2019 CAG Network
22/56
Policy Configuration
0 Policies can be a//lied to s/eci-ic +sers
0 Users can be a+thenticated -romF
R%9IUS
49%P
Sec+re 49%P
%cti'e 9irectory
RS% Sec+rI9
Sec+reCom/+tin Sa-eord
-
8/19/2019 CAG Network
23/56
=Entire .etwor*> Access
Pre3de-ined )ntire
6et(or?J reso+rce can be
+sed in /olicies to i'e
+sers access to all
ser'ers in the net(or?
-
8/19/2019 CAG Network
24/56
Phased Policy 6ollout
'eb or App "erversCP" Applications &ile "erversEmail "ervers %es*tops + Phones
B. 9e-ine a ro+/ o- tr+st remote +sers
2. Grant -+ll net(or? access by i'in access to the )ntire 6et(or?J
. Restrict -+ll access (ith end3/oint scans Di- desiredE
1. Pre/are ran+lar /olicies and roll3o+t to select +sers as desired
-
8/19/2019 CAG Network
25/56
$ethodology for %efining Access Policies
B. In'entory all I reso+rces
2. Gro+/ reso+rces into le'els o- sensiti'ity
. 9e-ine end +ser access scenarios
1. %ssociate end +ser access scenarios (ith le'els o- sensiti'ity
!. 5alidate the /olicies (ith a select ro+/ +sin e'ent loin
:. Roll /olicies into -+ll /rod+ction
'eb or App "erversCP" Applications &ile "erversEmail "ervers %es*tops + PhonesPartner $achine$obile P%ACorporate (aptop #ome Computer #ome Computer
-
8/19/2019 CAG Network
26/56
Action 6ights Control0 Overview
9esined to /re'ent inad'ertent lea?ae o- in-ormationnormally associated (ith +ser error.
)"am/leF Users -oret it is aainst com/any /olicy to accesssensiti'e in-ormation -rom home or a ?ios?.
-
8/19/2019 CAG Network
27/56
Action 6ight0 #T$( Preview
Ser'er3side renderin into H74 o-F
7icroso-t )"cel s/readsheets
7icroso-t Po(erPoint /resentations
7icroso-t ord doc+ments
7icroso-t 5isio diarams
%dobe P9* doc+ments
0 Pro'ide access to doc+ments (hen client doesnt ha'e a 'ie(er a//licationa'ailable# s+ch 'ie(in -rom a ?ios?.
0 )"tends access to small3-orm -actor de'ices# s+ch as P9%
0 H74 Pre'ie( can be reso+rce3intensi'e# b+t can be con-i+red as a se/arateser'er.
$icrosoft Office must be
installed on the server1s2
generating the #T$(Preview
Re+ires rd /arty P9* to
H74 con'erter
-
8/19/2019 CAG Network
28/56
Action 6ight0&ile Type Association
0 Sec+res im/ortant doc+ments by /re'entin them -rom lea'in the/rotected net(or?
0 Users dont ha'e to trade +sability -or sec+rity
0 )"tends access to a (ide rane o- de'ices and /lat-orms
0 Uses Presentation Ser'er to /ro'ide access to a doc+mentre+ested -romF
% /rotected (eb ser'er
%n email attachment
% -ile share
0 Com/atible (ith the IC% a'a client
-
8/19/2019 CAG Network
29/56
Action 6ight0&ile Type Association
!nternet %$; Protected .etwor*
%d'anced %ccessControl ser'er
)nd/oint9e'ice
PolicyEngine
$eta&rame
Presentation "erver
Enterprise 'eb "erver
Presentation"erver
Connector
HTTP/S
?2 )ser selects a lin* in thebrowser window and thebrowser generates a re8uestto the Access Gatewayappliance
42 Appliance forwards there8uest to the web proxycomponent of AAC
92 'eb Proxy decodes the )6(
of the re8uest and determinesthe true destination of there8uest
@2 6etrieve the session tic*etfrom the coo*ie in the re8uestheader and perform accesscontrol against the PolicyEngine
2 Policy Engine determines thatuser has permission toaccess the re8uested
B2 &orward the re8uest to thedestination
!nteractions
HTTP/S SSL'eb Proxy
? 4
9
@
B %ccess Gate(ay
a//liance
A i 6i h
-
8/19/2019 CAG Network
30/56
!nternet %$; Protected .etwor*
%d'anced %ccessControl ser'er
%ccess Gate(aya//liance
)nd/oint9e'ice
PolicyEngine
Protected 'eb "erver
CGP/ICA
'eb Proxy
Presentation"erver
Connector
Action 6ight0&ile Type Association
?2 'eb proxy receives response
42 'eb proxy 8ueries policyengine to determine accessmethod3 %ocument must belaunched via Presentation"erver
92 AAC generates an !CA file toinvo*e the !CA client on theendpoint
@2 !CA client starts andgenerates a re8uest toPresentation "erver
2 Published app re8uestsdocument from web serverand displays it within the !CAsession
!nteractions
SSL
Citrix Presentation
"erver
HTTP/S
HTTPS
HTTP/S
?4
9
@
E d i t A l i
-
8/19/2019 CAG Network
31/56
Endpoint Analysis0Overview
0 )nd/oint %nalysis ClientsF %cti'eL client -or I) bro(sers Dre+ires %dmin or Po(er +ser /ri'ileesE
in2 install D'ia 7SIE
6etsca/e /l+3in -or 6etsca/e and 7o8illa bro(sers
0 rd /arty /rod+ct interation D%5# Personal *ire(allEF
SymantecM6orton# 7c%-ee# rend7icro# 7icroso-t# holeSec+rity# Chec?Point ICS# etc.
0 *+lly c+stomi8able 'ia Citri"s )P% S9KF
S9K a'ailable on Citri" 9e'elo/ers 6et(or?
S9K is (ell3interated (ith 5is+al St+dio.6)
%naly8e the client machine to identi-y the de'ice anddetermine i- it is sec+red.
E d i t A l i
-
8/19/2019 CAG Network
32/56
)nd/oint9e'ice
!nternet %$; Protected .etwor* 1(A.2
Endpoint Analysis0)ser !nteraction
?2 )ser opens browser and points to appliance
42 Appliance detects a new session and deploys theendpoint scan client
92 "can client is activated3 !t calls to dispatchers toretrieve scan parameters
@2 %ispatchers retrieve scan scripts and parametersvia Endpoint Analysis 'eb "ervice3
2 rowser downloads necessary endpoint analysismodules if not cached on endpoint3 $odules arestored in the database and deployed from EA"and scan operations execute
B2 EPA client posts results to Endpoint Analysis 'eb"ervice via appliance and EA" executestransformation modules on results3 $ay repeatfrom step @ until all needed data is collected
2 Appliance posts transformed results to
Authentication "ervice3 EA" 8ueries PolicyEngine to determine if authentication is allowed
D2 !f yes, display the authentication pageOtherwise, provide feedbac* to instruct on stepsfor remediation3
2 At authentication, results are stored with sessiondata
%ccess Gate(aya//liance
%d'anced %ccessControl ser'er
?4 9@ BD
!nteractions
-
8/19/2019 CAG Network
33/56
rowser-only Access
0 )"tend access to any de'ice(ith a bro(ser
0 %bsol+tely no client re+ired
0 9eli'er e3mail# -ile shares# (ebsitesMa//lications to anyde'ice (ith a bro(ser
0 %+tomatically render 7icroso-t
O--ice doc+ments to H74/re'ie(
-
8/19/2019 CAG Network
34/56
rowser-only Access0 Overview
0 *or +se (hen an %ccess Gate(ayclient is not de/loyed
0 Ob-+scates internal UR4s
0 Controls client3side cachin0 )n-orces access control
0 Pro'ides access toF
Protected eb Sites eb Pro"y
*ile Shares 6a' UI
eb email O+tloo? eb %ccess#i6otes# or 6a' UI
-
8/19/2019 CAG Network
35/56
rowser-only Access0 'eb Proxy
4
9
@
B
AAC "erver
?2 6e8uest received from browser
42 6e8uest is validated by verifying a validsession coo*ie and is forwarded to the AACserver3 )6( decoding occurs3
92 Proxy operations0
a2 /alidate re8uested )6( againstallowed destinations in access controllist
b2 "trip coo*ies from re8uest 1unlessexplicitly allowed23
c2 The re8uest is forwarded to thedestination web server3
d2 !f #TTP Auth re8uired, respond withprimary session credentials or webform 1if permitted by AACadministrator23
@2 6esponse is received from the web server
2 6esponse processed and rewritten
a2 #T$( content has lin*s rewritten
b2 G!&
-
8/19/2019 CAG Network
36/56
rowser-only Access0'eb Proxy )6( 6ewriting
http0
-
8/19/2019 CAG Network
37/56
rowser-only Access0.av )! J Applications
Connection routed through the 'eb Proxy
-
8/19/2019 CAG Network
38/56
$obile %evice Awareness
0 S+//ort -or small -orm3-actor de'icesF
6a' UI
eb )mail
*ile ,ro(ser
H74 Pre'ie( )mail as attachment
0 S+//orted /lat-ormsF
Palm
RI7 ,lac?berry Poc?etPC 2M2
7icroso-t Smart/hones
$obile %evice Awareness0
-
8/19/2019 CAG Network
39/56
0 User ty/es in the loon/oint UR4 into the P9%bro(ser
0 User enters loin
credentials# incl+din t(o3-actor as necessary
0 %-ter s+ccess-+la+thentication# +ser isin-ormed o- session start
0 User is /resented (ith the-ile and email inter-ace
$obile %evice Awareness0)ser Experience
$obile %evice Awareness0
-
8/19/2019 CAG Network
40/56
$obile %evice Awareness0)ser Experience
0 CreateM'ie( email
0 %ccess shared or ma//eddri'es
0 %ccess# 'ie( and email7icroso-t O--ice -iles (itho+tdo(nload
0 )mail doc+ments -rom -ile
shares
Extended Control for
-
8/19/2019 CAG Network
41/56
Extended Control for Citrix Presentation "erver
0 Set /olicies to securely launch documents +sina//lications hosted on Presentation Ser'er
0 Set /olicy3based access to Presentation Ser'er
published applications
0 Set /olicy3based access to Presentation Ser'ervirtual channels De..# local /rintin# local dri'ema//inE
0 Reconnect to disconnected a//licationsautomatically at loin D(ith /olicy3based accessE
-
8/19/2019 CAG Network
42/56
)pgrade from "tandard Edition to
-
8/19/2019 CAG Network
43/56
)pgrade from "tandard Edition toAdvanced Edition
!nternet
$obile P%A
#ome Computer
Partner $achine
& i r e w a l l
& i r e w a l l
&ile "ervers
'eb or App "ervers
CP" Applications
(ocal)sers
Corporate (aptop
Email "ervers
%es*tops + Phones
Access
Gatewayappliance
$anagement
Console
Advanced Access
Control server
-
8/19/2019 CAG Network
44/56
-
8/19/2019 CAG Network
45/56
Appliance $anagement
0 %ccess Gate(aycl+ster iscon-i+red in the %ccess S+iteConsole
Configuring Access Gateway with
-
8/19/2019 CAG Network
46/56
Configuring Access Gateway withAdvanced Access Control
0 %%C /ro'ides rich# /olicy3based control o- 5P6connectionF
S/eci-y (hich accessscenarios to +se 5P6access.
Control S/lit +nnelin
Con-i+re Contin+o+s)nd/oint scans
-
8/19/2019 CAG Network
47/56
Agenda
O'er'ie(
Citri" %ccess Gate(ay %d'anced )dition
*eat+re & ,ene-its
%rchitect+re
-
8/19/2019 CAG Network
48/56
-
8/19/2019 CAG Network
49/56
Traffic &low - /P.
& i r e w a l l
& i r e w a l l
5P6 Client ra--ic
&ile "ervers
'eb
-
8/19/2019 CAG Network
50/56
AG Traffic J !CA
-
8/19/2019 CAG Network
51/56
AGKAAC Traffic J rowser-based
& i r e w a l l
&ile "ervers
'eb
-
8/19/2019 CAG Network
52/56
C ff
-
8/19/2019 CAG Network
53/56
Components and Traffic &low
O+tbo+nd tra--icF /ort A!
Inbo+nd tra--icF /ort
-
8/19/2019 CAG Network
54/56
Access Gateway Advanced Edition
Access Gatewayappliance
Advanced Access Controlserver =
%efining a new level of control and accessL
Additi l 6
-
8/19/2019 CAG Network
55/56
Additional 6esources0
0 %ccess Gate(ay echnical Presentation & *%NF
htt/FMMshare/oint.citrite.netMsitesMate(aysM
0 )nd/oint %nalysis S9KF
htt/FMMa//s.citri".comMcdn
http://lonpsharep01/sites/Central_Europe/Marketing/Products/gateways/http://apps.citrix.com/cdnhttp://apps.citrix.com/cdnhttp://apps.citrix.com/cdnhttp://lonpsharep01/sites/Central_Europe/Marketing/Products/gateways/http://lonpsharep01/sites/Central_Europe/Marketing/Products/gateways/http://lonpsharep01/sites/Central_Europe/Marketing/Products/gateways/
-
8/19/2019 CAG Network
56/56