cag network

8/19/2019 CAG Network

1/56

Citrix Access GatewayAdvanced Edition

Technical OverviewSeceidos GmbH&Co. KG

Robert Hochrein

[email protected]


2/56

Agenda

O'er'ie(

Citri" %ccess Gate(ay %d'anced )dition

*eat+re & ,ene-its

%rchitect+re


3/56

Endpoint security,identification, andintegrity validation

The Customer Problems

Centralied accesscontrol to all !T

resources

"ecure and#ardened

Control over howinformation and

applications can

be used

!nternet

$obile P%A

#ome Computer

Partners

& i r e w a l l

&ile "ervers

'eb or App "ervers

CP" Applications(ocal )sers

%ccessGate(ay

a//liance

%d'anced %ccess

Controlser'er

Corporate (aptop

Email "ervers

%es*tops + Phones

& i r e w a l l

Consistent userexperience

Consistent user experience

0 andwidth0 (atency0 %evice

idiosyncrasies

Cannot accessfrom behindfirewalls

Access fromwidely varyingdevices

$inimie re-authentication onre-connect

.eed access toall internal !Tresources


4/56

Citrix Access Gateway

0 )niversal ""( /P.s /ro'idin access to all internal Ireso+rces# incl+din IP tele/hony

0 #ardened, scalable a//liances

0Easy-to-use# a+tomatically do(nloaded and +/datedclient

0 Controlled access (ith administrator3de-ined /olicies

0 Tight integration (ith Citri" Presentation Ser'er


5/56

Citrix Access GatewaySS4 5P6 Remote %ccess

%ccessGate(ay

"tandardEdition

best -or Small3to37idsi8ed

C+stomers

Sim/le and Cost)--ecti'e Sec+reRemote %ccess

%ccessGate(ay

AdvancedEdition

best -or Presentation Ser'er

)n'ironments

%d'anced %ccessControl and 9e'ice*le"ibility

%ccessGate(ay

EnterpriseEdition

best -or )nter/rise

9e/loyments

Com/le" and9emandin)n'ironments


6/56

Agenda

O'er'ie(


*eat+re & ,ene-its

%rchitect+re


7/56

%ccessGate(ay

"tandardEdition

%ccessGate(ay

AdvancedEdition

0 Tight information control0

0 Granular policy based Access 1"martAccess2

0 Granular control of CP" apps 1action rights2

0 Customiable End Point Analysis

0 rowser-Only Access 1e3g3 no clients2

0 P%A and $obile %evice "upport

Access Gateway Advanced Edition

$odel 4555


8/56


9/56

Agenda

O'er'ie(


*eat+re & ,ene-its

%rchitect+re


10/56

Access Gateway Advanced Edition&eatures + enefits

&eature &unction enefit

Policy-based Access andAction 6ights Control

%etect and adapt policies based onaccess scenario to control the flow ofthe organiation7s sensitive data

0 Granular access controls

0 !ntellectual property protection

0 Extend user7s access to moresituations

0 Enhances security withouteffecting the user experience

Endpoint Analysis %etermines client device status foraccess policies and provides deviceremediation3

0 Enables corporate and regulatorycompliance

0 Extensible with industry standarddevelopment tools to meetcustomer needs

rowser-only Access Access with any web browser on anydevice to web sites, files, and email

0 .o additional client components

0 )bi8uitous access

$obile %evice Awareness 6e-factored email and file interface forP%As and small-form factor devices 0 "eamless device transition0 )ser productivity

Extended Access Controlfor Presentation "erver

Policy-based control of Presentation"erver using end-point analysis andnetwor* location awareness

0 Address regulatory and securityconcerns

0 Enhances 'eb !nterface

Centralied (ogging andTrend 6eporting

Provide sophisticated usage data fortroubleshooting and planning

0 !mproved management

0 Easy integration with 9rd party tools


11/56

&inding the 6ight alance

Access

0 %ny(here# %nytime

%-ter (or? ho+rs

9+rin o--ice clos+res

On the road

0 %ccess to alla//lications

0 %ccess is trans/arent

0 %ccess -rom any de'ice

!nformation "ecurity

0 Protection o- criticalsystems

9enial o- ser'ice )"/os+re to mal(are

0 Intellect+al /ro/erty control

0 %ddress re+latory

com/liance0 Ris? mitiation

0 Practical and cost3e--ecti'e


12/56

"martAccess Technology

)"tensi'e policy-based sense and res/onse

%+tomatically recon-i+res the a//ro/riate le'el o- accessas +sers roam between devices# locations andconnections

%d'anced# e"tensible end-point security /olicies andanalysis

Action 6ights Control de-ines (hat the +ser can access#

and (hat actions they can ta?e


13/56

Granular Controls

0 *ile Pre'ie(

0 eb )3mail

0 ControlledPresentationSer'er

%ccess

0 *ile 9o(nload

0 4ocal )dit and Sa'e

0 *ile U/load

0 )3mail Sync

0 eb )3mail

0 *+ll Presentation Ser'er %ccess

0 *+ll Presentation Ser'er %// Set

0 )dit in 7emory0 4imited Presentation Ser'er accessDread3only local dri'e ma//inE

0 4imited Presentation Ser'era//lication set

0 *ile Pre'ie(

0 *ile U/load

0 )3mail Sync

0 eb )3mail

Corporate %es*top

6emote Corporate %evice

Public :ios*


14/56

Elements of "martAccess

Analye Endpoint + Connection Apply Access Control

$achine !dentity00 6et,IOS name0

9omain 7embershi/0 7%C address $achine Configuration

0 O/eratin System0 %nti35ir+s System0 Personal *ire(all

.etwor* ;one Authentication $ethod

&ull download of documents Preview documents with #T$(

0 %ccess -rom P9%s0 6o 'ie(er a// on client Attach to email

0 %'oid transmission to client /irtualied Applications

0 Control a//lications0 4imit local ma//ed dri'es

Apply Action 6ights Control

""(-/P.s

CP" applications &ile + networ* shares

'eb based email 'eb sites 1)6(s2 'eb applications Email synchroniation Client


15/56

Access "cenario0Corporate )sers from a #otel

!nternet

Partner $achine

& i r e w a l l

& i r e w a l l

&ile "ervers

'eb or App "ervers

CP" Applications

Email "ervers

%es*tops + Phones

O:

0 %ownload and Access !nformation0

0 &ull download0 %ownload to memory only0 Access via CP" only0 Preview in #T$( only

0 Edit and "ave Changes00 "ave locally0 "ave only to networ*0 "ave disabled

0 Print0 Print locally0 Print to selected printers only0 Printing disabled

0 CP" Applications

$obile P%A

#ome Computer

Corporate (aptop

Access

Gatewayappliance

Advanced Access

Control server


16/56

Access "cenario0Corporate )sers from #ome

!nternet

$obile P%A

#ome Computer

Partner $achine

& i r e w a l l

& i r e w a l l

&ile "ervers

'eb or App "ervers

CP" Applications

Access

Gatewayappliance

Corporate (aptop

Email "ervers

%es*tops + Phones

O:

Advanced Access

Control server

0 %ownload and Access !nformation0

0 &ull download0 %ownload to memory only0 Access via CP" only0 Preview in #T$( only

0 Edit and "ave Changes00 "ave locally0 "ave only to networ*0 "ave disabled

0 Print0 Print locally0 Print to selected printers only0 Printing disabled

0 CP" Applications


17/56

Policy Configuration

0 9e-ine reso+rces (hich can be accessed and 'ie(ed by +sers

0 S+//orted reso+rce ty/esF

*ile shares

eb sites

5P6 net(or? access

)mail sync

eb3based email


18/56


0 Policies are -irst de-ined by the reso+rces (hich they e--ect

0 %dministrators may m+lti3select reso+rces


19/56


0 Policies de-ine the /ermissions (hich a//ly to the selectedreso+rces

0 %dministrators set /ermissions based on reso+rce ty/e

0 Policies canF

Grant %ccess

9eny

S/eci-y ho( a +ser can access a reso+rce


20/56


0 Policies can be de-ined to only a//ly +nder certain scenarios

0 *ilters de-ine scenarios


21/56


0 *ilters can +se a n+mber o- criteria incl+dinF

Ho( the +ser a+thenticated

Users net(or? location

Res+lts o- end/oint analysis

Client certi-icate +eries


22/56


0 Policies can be a//lied to s/eci-ic +sers

0 Users can be a+thenticated -romF

R%9IUS

49%P

Sec+re 49%P

%cti'e 9irectory

RS% Sec+rI9

Sec+reCom/+tin Sa-eord


23/56

=Entire .etwor*> Access

Pre3de-ined )ntire

6et(or?J reso+rce can be

+sed in /olicies to i'e

+sers access to all

ser'ers in the net(or?


24/56

Phased Policy 6ollout

'eb or App "erversCP" Applications &ile "erversEmail "ervers %es*tops + Phones

B. 9e-ine a ro+/ o- tr+st remote +sers

2. Grant -+ll net(or? access by i'in access to the )ntire 6et(or?J

. Restrict -+ll access (ith end3/oint scans Di- desiredE

1. Pre/are ran+lar /olicies and roll3o+t to select +sers as desired


25/56

$ethodology for %efining Access Policies

B. In'entory all I reso+rces

2. Gro+/ reso+rces into le'els o- sensiti'ity

. 9e-ine end +ser access scenarios

1. %ssociate end +ser access scenarios (ith le'els o- sensiti'ity

!. 5alidate the /olicies (ith a select ro+/ +sin e'ent loin

:. Roll /olicies into -+ll /rod+ction

'eb or App "erversCP" Applications &ile "erversEmail "ervers %es*tops + PhonesPartner $achine$obile P%ACorporate (aptop #ome Computer #ome Computer


26/56

Action 6ights Control0 Overview

9esined to /re'ent inad'ertent lea?ae o- in-ormationnormally associated (ith +ser error.

)"am/leF Users -oret it is aainst com/any /olicy to accesssensiti'e in-ormation -rom home or a ?ios?.


27/56

Action 6ight0 #T$( Preview

Ser'er3side renderin into H74 o-F

7icroso-t )"cel s/readsheets

7icroso-t Po(erPoint /resentations

7icroso-t ord doc+ments

7icroso-t 5isio diarams

%dobe P9* doc+ments

0 Pro'ide access to doc+ments (hen client doesnt ha'e a 'ie(er a//licationa'ailable# s+ch 'ie(in -rom a ?ios?.

0 )"tends access to small3-orm -actor de'ices# s+ch as P9%

0 H74 Pre'ie( can be reso+rce3intensi'e# b+t can be con-i+red as a se/arateser'er.

$icrosoft Office must be

installed on the server1s2

generating the #T$(Preview

Re+ires rd /arty P9* to

H74 con'erter


28/56

Action 6ight0&ile Type Association

0 Sec+res im/ortant doc+ments by /re'entin them -rom lea'in the/rotected net(or?

0 Users dont ha'e to trade +sability -or sec+rity

0 )"tends access to a (ide rane o- de'ices and /lat-orms

0 Uses Presentation Ser'er to /ro'ide access to a doc+mentre+ested -romF

% /rotected (eb ser'er

%n email attachment

% -ile share

0 Com/atible (ith the IC% a'a client


29/56


!nternet %$; Protected .etwor*

%d'anced %ccessControl ser'er

)nd/oint9e'ice

PolicyEngine

$eta&rame

Presentation "erver

Enterprise 'eb "erver

Presentation"erver

Connector

HTTP/S

?2 )ser selects a lin* in thebrowser window and thebrowser generates a re8uestto the Access Gatewayappliance

42 Appliance forwards there8uest to the web proxycomponent of AAC

92 'eb Proxy decodes the )6(

of the re8uest and determinesthe true destination of there8uest

@2 6etrieve the session tic*etfrom the coo*ie in the re8uestheader and perform accesscontrol against the PolicyEngine

2 Policy Engine determines thatuser has permission toaccess the re8uested

B2 &orward the re8uest to thedestination

!nteractions

HTTP/S SSL'eb Proxy

? 4

9

@

B %ccess Gate(ay

a//liance

A i 6i h


30/56

!nternet %$; Protected .etwor*


%ccess Gate(aya//liance

)nd/oint9e'ice

PolicyEngine

Protected 'eb "erver

CGP/ICA

'eb Proxy

Presentation"erver

Connector


?2 'eb proxy receives response

42 'eb proxy 8ueries policyengine to determine accessmethod3 %ocument must belaunched via Presentation"erver

92 AAC generates an !CA file toinvo*e the !CA client on theendpoint

@2 !CA client starts andgenerates a re8uest toPresentation "erver

2 Published app re8uestsdocument from web serverand displays it within the !CAsession

!nteractions

SSL

Citrix Presentation

"erver

HTTP/S

HTTPS

HTTP/S

?4

9

@

E d i t A l i


31/56

Endpoint Analysis0Overview

0 )nd/oint %nalysis ClientsF %cti'eL client -or I) bro(sers Dre+ires %dmin or Po(er +ser /ri'ileesE

in2 install D'ia 7SIE

6etsca/e /l+3in -or 6etsca/e and 7o8illa bro(sers

0 rd /arty /rod+ct interation D%5# Personal *ire(allEF

SymantecM6orton# 7c%-ee# rend7icro# 7icroso-t# holeSec+rity# Chec?Point ICS# etc.

0 *+lly c+stomi8able 'ia Citri"s )P% S9KF

S9K a'ailable on Citri" 9e'elo/ers 6et(or?

S9K is (ell3interated (ith 5is+al St+dio.6)

%naly8e the client machine to identi-y the de'ice anddetermine i- it is sec+red.

E d i t A l i


32/56

)nd/oint9e'ice

!nternet %$; Protected .etwor* 1(A.2

Endpoint Analysis0)ser !nteraction

?2 )ser opens browser and points to appliance

42 Appliance detects a new session and deploys theendpoint scan client

92 "can client is activated3 !t calls to dispatchers toretrieve scan parameters

@2 %ispatchers retrieve scan scripts and parametersvia Endpoint Analysis 'eb "ervice3

2 rowser downloads necessary endpoint analysismodules if not cached on endpoint3 $odules arestored in the database and deployed from EA"and scan operations execute

B2 EPA client posts results to Endpoint Analysis 'eb"ervice via appliance and EA" executestransformation modules on results3 $ay repeatfrom step @ until all needed data is collected

2 Appliance posts transformed results to

Authentication "ervice3 EA" 8ueries PolicyEngine to determine if authentication is allowed

D2 !f yes, display the authentication pageOtherwise, provide feedbac* to instruct on stepsfor remediation3

2 At authentication, results are stored with sessiondata

%ccess Gate(aya//liance


?4 9@ BD

!nteractions


33/56

rowser-only Access

0 )"tend access to any de'ice(ith a bro(ser

0 %bsol+tely no client re+ired

0 9eli'er e3mail# -ile shares# (ebsitesMa//lications to anyde'ice (ith a bro(ser

0 %+tomatically render 7icroso-t

O--ice doc+ments to H74/re'ie(


34/56

rowser-only Access0 Overview

0 *or +se (hen an %ccess Gate(ayclient is not de/loyed

0 Ob-+scates internal UR4s

0 Controls client3side cachin0 )n-orces access control

0 Pro'ides access toF

Protected eb Sites eb Pro"y

*ile Shares 6a' UI

eb email O+tloo? eb %ccess#i6otes# or 6a' UI


35/56

rowser-only Access0 'eb Proxy

4

9

@

B

AAC "erver

?2 6e8uest received from browser

42 6e8uest is validated by verifying a validsession coo*ie and is forwarded to the AACserver3 )6( decoding occurs3

92 Proxy operations0

a2 /alidate re8uested )6( againstallowed destinations in access controllist

b2 "trip coo*ies from re8uest 1unlessexplicitly allowed23

c2 The re8uest is forwarded to thedestination web server3

d2 !f #TTP Auth re8uired, respond withprimary session credentials or webform 1if permitted by AACadministrator23

@2 6esponse is received from the web server

2 6esponse processed and rewritten

a2 #T$( content has lin*s rewritten

b2 G!&


36/56

rowser-only Access0'eb Proxy )6( 6ewriting

http0


37/56

rowser-only Access0.av )! J Applications

Connection routed through the 'eb Proxy


38/56

$obile %evice Awareness

0 S+//ort -or small -orm3-actor de'icesF

6a' UI

eb )mail

*ile ,ro(ser

H74 Pre'ie( )mail as attachment

0 S+//orted /lat-ormsF

Palm

RI7 ,lac?berry Poc?etPC 2M2

7icroso-t Smart/hones

$obile %evice Awareness0


39/56

0 User ty/es in the loon/oint UR4 into the P9%bro(ser

0 User enters loin

credentials# incl+din t(o3-actor as necessary

0 %-ter s+ccess-+la+thentication# +ser isin-ormed o- session start

0 User is /resented (ith the-ile and email inter-ace

$obile %evice Awareness0)ser Experience

$obile %evice Awareness0


40/56

$obile %evice Awareness0)ser Experience

0 CreateM'ie( email

0 %ccess shared or ma//eddri'es

0 %ccess# 'ie( and email7icroso-t O--ice -iles (itho+tdo(nload

0 )mail doc+ments -rom -ile

shares

Extended Control for


41/56

Extended Control for Citrix Presentation "erver

0 Set /olicies to securely launch documents +sina//lications hosted on Presentation Ser'er

0 Set /olicy3based access to Presentation Ser'er

published applications

0 Set /olicy3based access to Presentation Ser'ervirtual channels De..# local /rintin# local dri'ema//inE

0 Reconnect to disconnected a//licationsautomatically at loin D(ith /olicy3based accessE


42/56

)pgrade from "tandard Edition to


43/56

)pgrade from "tandard Edition toAdvanced Edition

!nternet

$obile P%A

#ome Computer

Partner $achine

& i r e w a l l

& i r e w a l l

&ile "ervers

'eb or App "ervers

CP" Applications

(ocal)sers

Corporate (aptop

Email "ervers

%es*tops + Phones

Access

Gatewayappliance

$anagement

Console

Advanced Access

Control server


44/56


45/56

Appliance $anagement

0 %ccess Gate(aycl+ster iscon-i+red in the %ccess S+iteConsole

Configuring Access Gateway with


46/56

Configuring Access Gateway withAdvanced Access Control

0 %%C /ro'ides rich# /olicy3based control o- 5P6connectionF

S/eci-y (hich accessscenarios to +se 5P6access.

Control S/lit +nnelin

Con-i+re Contin+o+s)nd/oint scans


47/56

Agenda

O'er'ie(


*eat+re & ,ene-its

%rchitect+re


48/56


49/56

Traffic &low - /P.

& i r e w a l l

& i r e w a l l

5P6 Client ra--ic

&ile "ervers

'eb


50/56

AG Traffic J !CA


51/56

AGKAAC Traffic J rowser-based

& i r e w a l l

&ile "ervers

'eb


52/56

C ff


53/56

Components and Traffic &low

O+tbo+nd tra--icF /ort A!

Inbo+nd tra--icF /ort


54/56

Access Gateway Advanced Edition

Access Gatewayappliance

Advanced Access Controlserver =

%efining a new level of control and accessL

Additi l 6


55/56

Additional 6esources0

0 %ccess Gate(ay echnical Presentation & *%NF

htt/FMMshare/oint.citrite.netMsitesMate(aysM

0 )nd/oint %nalysis S9KF

htt/FMMa//s.citri".comMcdn

http://lonpsharep01/sites/Central_Europe/Marketing/Products/gateways/http://apps.citrix.com/cdnhttp://apps.citrix.com/cdnhttp://apps.citrix.com/cdnhttp://lonpsharep01/sites/Central_Europe/Marketing/Products/gateways/http://lonpsharep01/sites/Central_Europe/Marketing/Products/gateways/http://lonpsharep01/sites/Central_Europe/Marketing/Products/gateways/


56/56

cag network

Documents