Citrix Secure Gateway v1.1

1
Citrix Secure Gatewayv1.1

• Technical Presentation
• August 2002

2
What is Citrix Secure Gateway?

• Citrix Secure Gateway is a secure Internet
  gateway between MetaFrame servers and ICA Client
  workstations that allows customers to simply and
  securely deliver applications across the
  Internet, on demand, to any device 

3
Typical Layout
Authentication
Access Mgmt.
Secure Connectivity
Firewall
Firewall
Citrix Secure Gateway
Citrix MetaFrame XP and/or MetaFrame for Unix
ClientWorkstations
CitrixNFuseClassic
Internet
DMZ
Internal Network
4
CSG traffic flow
DMZ
ICA/SSL
443
ICA Client
CSG Server
ICA/1494
MetaFrame Server Farm
.ICA file
443
HTTP/S
NFuse
Citrix XML Service
XML-HTTP/80
5
CSG for Windows Gateway Service

• Windows 2000 native Service
• Runs in DMZ, does not require IIS installed
• Multi-threaded design (utilizes IO Completion
  Ports) for high efficiency and throughput.
• Utilizes Microsoft S-Channel for SSL/TLS
  functions
• Server certificate required for SSL server
  authentication
• Build large CSG arrays for scalability and fault
  tolerance using industry standard external
  network load balancer.
• GUI configuration tool.
• Small benefit from PCI based SSL accelerators

6
CSG for Solaris daemon

• Solaris on SPARC v8 supported
• Multithreaded Solaris daemon
• Includes certificate management tools
• Embedded OpenSSL for SSL/TLS functions
• Server certificate required for SSL server
  authentication
• Build large CSG arrays for scalability and fault
  tolerance using industry standard external
  network load balancer.

7
Secure Ticketing Authority

• Implemented as ISAPI DLL
• Microsoft IIS WWW Service required
• Extremely lightly loaded service
• Redundant STAs can be defined
• Service should not be reachable from outside DMZ
• Communicates to CSG and NFuse via XML protocol
  over HTTP. Port configurable
• Links to CSG and NFuse can be secured by Windows
  2000 Server to Server VPN
• GUI configuration tool

8
CSG Ticketing
DMZ
Production MetaFrame Farm
CSG Server
ICA Client
XML Service
Secure Ticketing Authority
Web Browser
Secure Web Server
NFuse
1. Standard ICA Name Resolution
2. Requested CSG ticket on application launch
3. CSG ticket is delivered to ICA client as the
part of ICA file.
4. CSG ticket is delivered to CSG server
5. CSG server verifies ticket and opens ICA
connection.
9
Encryption and Connectivity

• Secures ICA Traffic only
• SSL v3.0 or TLS v1.0 with 128-bit encryption
• CSG Service uses single Server Certificate
• Single CSG IP address is exposed to internet
• Ease of firewall traversal (uses port 443 only)

10
Authentication

• Authentication provided by NFuse Classic Web
  server users must first authenticate to an NFuse
  Classic web server before using CSG.
• NFuse Classic supports various authentication
  methods
• Microsoft NT Domain and Active Directory
• Novell NDS
• SmartCard
• Use whatever security mechanisms you wish to
  protect your web server from unauthorized access
  (e.g RSA SecurID, SafeWord PremierAccess)
• Authentication process is further secured using
  an HTTPS configured NFuse Web server

11
Deployment with Citrix Secure Gateway

• Citrix Secure Gateway is highly scalable
• Build fault tolerant CSG arrays with industry
  standard load balancers.
• Multiple redundant STAs can be configured.
• CSG supports MetaFrame v1.8 and higher.
• CSG Supports MetaFrame for UNIX on Sun Solaris,
  HPUX and IBM AIX.
• Supported ICA Clients available for all Windows
  platforms as well as Windows CE, Java, Solaris,
  Unix, and Macintosh.

12
Deployment Issues

• Citrix v6.30 Windows Java ICA clients can
  traverse a number of industry standard secure
  proxy servers.
• CSG to STA and NFuse links do not have native
  encryption capabilities use Windows 2000 server
  to server VPN.
• No client auto-reconnect. This feature is often
  not required across the Internet, for security
  reasons.

13
Citrix Security Solutions
SecureICA SSL Relay Citrix Secure Gateway VPN Solution
CSG is a simple and secure, ICA only solution
14
When to use SecureICA or SSL Relay

• Use SecureICA when
• Internal LAN / WAN / Intranet
• Secure DOS or Win 16 access is necessary
• Have older devices/ ICA clients that cannot be
  upgraded
• Risk of man-in-the-middle attack is acceptable
• Use SSL Relay when
• Small number of MetaFrame servers to support (lt5)
• No need to secure access at DMZ
• No need to hide server IP addresses, or NAT is
  used
• Need end-to-end encryption of data between client
  and server

15
When to use CSG or VPN

• Use Citrix Secure Gateway when
• Large number of servers to support
• Want to hide internal network addresses
• Want to secure from DMZ
• Need two-factor authentication (in conjunction
  with NFuse)
• Need non-intrusive client install i.e. access
  from Internet cafes
• Use a Virtual Private Network (VPN) when
• Need two-factor authentication
• Need to create a secure pipeline for full (beyond
  ICA) network access
• Need to create secure tunnels between sites
• Want to secure from within DMZ
• Access is normally via same workstation i.e. OK
  to install additional client
• Want to use IPSEC

16
Internet Café Solution

• Build a complete, Java applet-based solution,
  which assumes nothing pre-installed on clients.
• MetaFrame XPe
• Citrix NFuse Classic 1.7
• Citrix Secure Gateway
• Replaceable authentication (e.g. RSA SecureID,
  SafeWord PremierAccess)
• Citrix ICA Java Client, running in Applet mode
  (included with NFuse Classic 1.7)

17
Whats new in CSG v1.1

• Windows 2000 certification
• List of IP addresses not to log (e.g. network
  load balancer)
• All CSG logging to Windows system log
• TLS v1.0 and SSL v3.0 (exclusive)
• GOV, COM, or ALL crypto selection
• FIPS 140-1 certified crypto modules
• No NFuse Extensions NFuse Classic v1.7
  natively supports CSG
• Solaris platform Edition

18
CSG v1.1 availability

• CSG v1.1 Windows (English) available on MetaFrame
  FR2 Components CD
• CSG v1.1 Windows (English) is fully
  internationalized for operation on non-English
  Windows 2000.
• CSG v1.1 Windows (Japanese) available on
  MetaFrame FR2 (J) Components CD
• CSG v1.1 Solaris available from Citrix Secure
  Portal for Subscription Advantage Customers

19
For More Information

• For More Information
• Contact a local member of the Citrix Solutions
  Network
• Connect to Citrix Web site at www.citrix.com/prod
  ucts/securegateway

20
(No Transcript)