Citrix® Secure Gateway
Phil MontgomerySenior Product Manager
Citrix Products and ServicesOctober 2001
Learning Objectives
In this session, you will:
Get a preview of the new features and benefits of the Citrix Secure Gateway.
Learn how Citrix Secure Gateway (CSG) can provide Internet-based access to applications for remote employees, customers, and partners.
Agenda
Business Goals and Drivers
Citrix Goals and Solution
What is CSG?
CSG Architecture
CSG Technology Preview
Citrix Security Solutions
Demonstration
Summary, Q&A
Business Goals
Leverage Internet to deliver value outside of traditional models.
Demonstrable ROI
Do more with less
Do it before the competition does
Business Drivers
Remote access for employees, customers, and partners
B2B and B2C customers
displaced across many geographic locations
Web Browser with highly limited Internet connection only assumption
Access to key business applications
Security
Speed to market and development costs
Citrix Goals
Build a solution to securely and simply deliver MetaFrame applications across the Internet, on demand, to any device.
Barriers to implementation
ICA port 1494 not normally open on firewalls, difficult to open up
Use standards based encryption, protect against “man-in-the-middle” attack (Secure ICA is vulnerable to such attacks)
Large, difficult, intrusive, VPN client installs not suitable for many deployment types
Cost of VPN solutions, especially to large customer base
Hide MetaFrame servers from being seen or directly accessed from Internet
What is CSG?
Gateway between an SSL enabled ICA client and one or more MetaFrame servers
Tunnels ICA traffic inside SSL.
Limited to ICA only – not a general purpose VPN.
Runs independently from MetaFrame, links into NFuse for authorization
Three components:CSG Server
Secure Ticket Authority
Modified NFuse
Previously known as project “Snowy”
Solution Components
Citrix Secure Gateway (CSG)
Other components:
Metaframe
NFuse
SSL enabled clients
Optionally
Secure web server and/or portal (e.G. Citrix XPS)
Replaceable authentication (e.G. SecurID, smart card)
ICA client object (ICO)
CSG components
Client Workstation
CSG Server
NFuse/Web Server
MetaFrame Server Farm
Secure Ticketing Authority (STA)
CSG with NFuse
HTTP/S
Secure WebServer
WebBrowser
MetaFrame Server Farm
NFuseCitrix XML
Service
XML-HTTP/80
ICA/1494 443ICA Client CSGServer
DMZ
Initial connection is always established with the web server.
The user may not even have Citrix client installed.
ICA/SSL
443
5. Ticket Verification
5. ICA/1494
3. ICA File
4. ICA/SSL
CSG Ticketing
1. Standard NFuse ICA Name Resolution
ProductionMetaFrame Farm
Secure WebServer
NFuse
SecureTicketing Authority
ICA Client
WebBrowser
1. Standard NFuse XML
CSGServer
DMZ
3. ICA FileXML Service
5. CSG server verifies ticket and opens ICA connection.
3. CSG ticket is delivered to ICA client as the part of ICA file.
4. CSG ticket is delivered to CSG server as the part of SOCKS inside SSL information.
2. Ticket Generation
2. Requested CSG ticket on application launch
CSG Architecture 1
Authorization based on ticketing, leverages NFuse for Authentication
Compatible with wide range of authentication systems
Replaceable Secure Ticketing Authority (STA)
Works with replaceable auth – e.g. SecurID, Smartcard
Operates in Gateway mode – installed in DMZHighly scalable – by design
Single CSG server can support 1000 to 2000 concurrent connections
Highly reliable – fail-over support for STA, external Load Balancer for main CSG Server.
CSG Architecture 2
Uses XML for inter-component communication
Components are easily replaceable by Citrix or 3-rd party
SOAP is considered as the next step
No changes necessary to MetaFrame servers
Can be quickly installed into existing system
Packaging
Provided at no additional cost to valid Subscription Advantage customers
Download only
Included in future MetaFrame release
English and possibly Japanese (product is Internationalized)
v1.0 Windows 2000 server platform
Technology Preview
Private Preview, available from hidden URL http://cdn.citrix.com/snowy
Create CDN account and login before entering URL.
Time-bombed to expire 1st Feb 2002
Windows 2000 and IIS/NFuse only
No support – feedback to [email protected]
Need at least 2 machines, one running CSG, the other NFuse/STA. 3 machines is recommended.
Need server SSL certificate & High Encryption Pack
Things to come
Q1/2 2002 –Solaris
Q3/Q4 – v1.5 – Possible features:
•Improved Management (SNMP, WMI, MMC)
•TLS support
•Government certifications
•End to End SSL
•SDK
We need your feedback on CSG directions!
Citrix Solutions
ICA Secure ICA
SSL Relay
CSG Server
Citrix Extranet
Lower security
Highest Security
SSL Solutions
Use what, when?
Use SecureICA when:· Secure DOS or Win 16 access is necessary
· Have old devices/ ICA clients that cannot be upgraded
· Risk of “man-in-the-middle” attack is acceptable
Use SSL Relay when:· Small number of MetaFrame servers to support (<5)
· No need to secure access at DMZ
· No need to hide server IP addresses, or NAT is used
· Need end-to-end encryption of data between client and server
Use what, when?Use Citrix Secure Gateway when:
• Large number of servers to support
• Want to hide internal network addresses
• Want to secure from DMZ
• Need 2 factor authentication (in conjunction with NFuse)
• Need non-intrusive client install e.g. access from Internet cafes
Use Citrix Extranet or another VPN when:• Need 2 factor authentication
• Need to create a secure pipeline for full (beyond ICA) network access
• Need to create secure tunnels between sites
• Want to secure from within DMZ
• Access is normally via same workstation i.e. OK to install intrusive Client
• Want to use IPSEC
Key information sources
CSG Tech Preview - http://cdn.citrix.com/snowy
Feedback to [email protected]
Product Manager: [email protected]
Demonstration
Summary
Q&A