konsolidieren und schützen sie die zugriffe auf beliebige...

Peter Leimgruber, SE networking, Citrix

Konsolidieren und schützen Sie die Zugriffe auf beliebige Unternehmensanwendungen mit dem Citrix Unified Gateway

© 2015 Citrix | Confidential

Unified Gateway


Client/Server

SaaS

SG

ADC

SSL VPN mVPN

Distributed App Infrastructure

Public Cloud

Hybrid Cloud On Prem

Currently many customer use NetScaler only for XenApp and XenDesktop

Mobile User

ICA


• Multiple point solutions result in: – Multiple URLs provide limited or poor end

user experience

– Complicated and hard to manage infrastructure

– Multiple islands, limited integration between solutions

– Multiple upgrade cycles that lead to disruption

– Misconfiguration of security and access policies

…but many customers are looking for a Unified Solution for remote access

Mobile User Client/Server

SaaS

SG

ADC ICA

SSL VPN mVPN

Distributed App Infrastructure

Public Cloud

Hybrid Cloud On Prem

NetScaler with Unified Gateway provides One URL and consolidation of remote access infrastructure


Use Case 1: NetScaler with Unified Gateway provides secure and remote access to Web and Enterprise legacy apps

• Provides secure remote access to web and enterprise legacy applications like: – ERP/CR applications – SharePoint applications – Network file share etc.

• Provide AAA-TM monitoring for these applications

• CVPN for Microsoft applications like SharePoint, OWA, Lync

• Support for Windows, MAC, Linux, iOS and Android

• Native and 3rd party Single Sign-On across applications

• Single portal to publish applications


Use Case 2: NetScaler with Unified Gateway provides secure and remote access to Citrix XenApp and XenDesktop

• Provides centralized access control policy management for Citrix XenApp/XenDesktop applications

• Only product to provide complete visibility and monitoring tools for XA/XD traffic

• Only product to provide Adaptive access control policies for XA/XD

• EPA scans of end user devices

• Native and 3rd party single sign-on across applications

• Single portal to publish applications


Use Case 3: NetScaler with Unified Gateway provides secure and remote access to Cloud and SaaS applications

• Provides AAA-TM monitoring for cloud and SaaS applications like – SalesForce – Office 365 – Etc.

• Native and 3rd party single sign-on across applications

• Centralized access control policies

• Single portal to publish all cloud/SaaS applications


Use Case 4: NetScaler provides seamless integration with XenMobile

• Seamless integration with Citrix XenMobile

• Per App VPN (MicroVPN) for XM applications

• EPA scans of end user devices

• Optimization of XM traffic

• Visibility and monitoring tools for XM traffic

• One single portal to publish applications

• Gateway vserver – can be behind CS vserver. – Does not need IP/port. – Single point of configuration for all policies(Authentication/authorization/session)

• Login once – One login for all GW/TM/SaaS apps that are published on gateway portal.

• Logout once – Single logout for all TM web apps/enterprise apps behind Unified Gateway.

Unified Gateway- What’s new in Gateway?

Unified Gateway: Topology

GW

CS

LB

LB

LB

svc

svc

svc

Login Once

Clientless Access

VPN/Tunnel Access

Virtual Apps & Desktops Access & SSO

Auth

Unified Gateway: Topology

GW

CS

LB

LB

LB

svc

svc

svc

Login Once

Clientless Access

VPN Access

Virtual Apps & Desktops Access & SSO

Auth

Unified Gateway: Quick look at the portal

ENterE

Internet

External SAML SP

HTTP/ SSL Backends (Basic/ Digest/ Form/ NTLM/ Kerberoes)

AUTH Servers XA/ XD/ XM etc., OWA/ SP

CSVserver

GW Vserver

Auth happens

@ GW

HTTPTMLB

SSL TM LB

Auth/GW VServer

HTTP

/ SSL

TM

Bac

kend

s

Content Switching Seamless SSO Backend Traffic

Unified Gateway - Seamless SSO (GW TM)

CS Policy Evaluation

Seamless SSO

Backend SSO

HTTP/ SSL GW Backends

Seamless SSO

Enterprise/On prem

Internet

HTTP/ SSL Backends (Basic/ Digest/ Form/ NTLM/ Kerberoes)

AUTH Servers XA/ XD/ XM etc., OWA/ SP CSVserver

SSL TM LB

GW vserver bound to CS

HTT

P/ S

SL

TM

Bac

kend

s

ContentSwitching Seamless SSO Backend Traffic

Unified Gateway - Seamless SSO (TM GW & TM TM)

CS Policy Evaluation

Seamless SSO

Backend SSO

TM LB1 HTTP/ SSL

GWVserver bound to CS

Auth @ GW

GW vserver Bound to CS

HTTP/ SSL GW Backends

Enterprise/Onprem

Feature License

Unified Gateway

NetScaler Platinum ✔

NetScaler Enterprise ✔

NetScaler Standard ✗

NetScaler Gateway ✗

Unified Gateway – License Requirements

Unified Gateway – Security Concerns

• Seamless SSO is optional for Gateway – ‘-loginOnce’ knob can be turned OFF to disable TM->GW or GW->TM seamless SSO. – Default value is OFF.

• TM need higher level Authentication – Step up authentication for TM can be configured behind Unified Gateway

• SSL properties for Smart card authentication will be taken from CS vserver.

Change ICAProxy into Unified Gateway: OWA Example

ICAProxy to Unified Gateway: OWA Example Step 1: SSLVPN Vserver to internal IP & enable LoginOnce

CLI: set vpn vserver icaproxy.peter.lab -ipAddress 2.2.2.2 -loginOnce on

ICAProxy to Unified Gateway: OWA Example Step 2: Add OWA-LB Vserver and set Authentication to SSLVPN VServer ICAProxy

CLI: add lb vserver LB_OWA HTTP 0.0.0.0 0

CLI: set lb vserver LB_OWA -Authentication ON -authnVsName icaproxy.peter.lab

ICAProxy to Unified Gateway: OWA Example Step 3: Add CS Vserver and CS Policies

CLI: add cs vserver UG_ICAProxy SSL 192.168.178.60 443

CLI: add cs action CS_OWA -targetLBVserver LB_OWA add cs action CS_SSLVPN_ICAProxy -targetVserver icaproxy.peter.lab add cs policy CS_Pol_OWA -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\”/owa\")" -action CS_OWA add cs policy CS_Pol_ICAProxy -rule true -action CS_SSLVPN_ICAProxy


nFactor for Gateway

nFactor

• Motivation • Flexibility • Extensibility • Conditional authentication • Customized messages/feedback • Recovery

Example 1: Classic model Order of execution: left to right

• Dots represent policies • Like colors represent pairs in

2factor • Transitions represent desired

flow

Task: How do you unravel this formation ?

Example 1: nFactor

Simpler, isn’t it ?

Problems with Legacy Model • All users on a vserver see same number of cascades - you need multiple end-

points

• Login pages cannot show extra fields and elements dynamically - pwcount

• Username and password field names cannot change

• Factors are not adaptive - group extraction cannot be done first

• A maximum of two factors

• Some factors can only happen in primary

• Login pages are static

• Context sensitive help is not dynamic

nFactor for Gateway end Q1/16

Netscaler

TM vserver

CS vserver

Gateway

auth

Existing model

2Factor Cert or OTP: Look ‚n Feel

TM: Alex Maslo

2Factor Cert or OTP: logical flow

TM: Alex Maslo

TM: Alex Maslo

2Factor Cert or OTP: nFactor flow


NetScaler Deployment Guides

Microsoft applications landscape

NetScaler VPX on Azure for XA/XD

• Active / Stand-by

NetScaler + Exchange 2013 Deployment Guides

• Deployment • Authentication & Optimization • GSLB • ActiveSync with Kerberos

NetScaler + SharePoint 2013 Deployment Guides

• Traffic Management (LB/CS) and Authentication - AppExpert

• Hybrid Deployment • GSLB • Optimization • Cisco ACI Automation

NetScaler + Office 365 Deployment Guide

• Forms Authentication + SAML • Kerberos Authentication + SAML

Remote Desktop Services

• RDP Proxy – Enterprise/Platinum edition license – Uses native RDP client for connection – Single Gateway/Dual Gateway solution – Single Sign-On ability – Security enforcement

• RDS LB – Load balancing of RDP protocol – Native RDP-type vservers on NS – CTX131808

http://support.citrix.com/article/CTX131808

Work better. Live better. Work better. Live better.

konsolidieren und schützen sie die zugriffe auf beliebige...

Documents