Client%20Access%20

1
Client Access Published applications

• Control through TEMPLATE.ICA
• Use SSL
• Authentication level
• Remove
• EncRc5-0
• EncRc5-40
• EncRc5-56

2
Remote Access

• 80211X, 802.11G, 802.11b, 802.11a
• 11 Mbps 55 Mbps
• Wireless WAN
• 40-120 Kbit
• Public network
• CDPD, 1xRTT, other
• High Speed access
• Cable modem
• xDSL (ADSL, IDSL, SDSL)

3
Wireless LAN or WAN

• Secure WLAN or WWAN with Secure Gateway
• Internal Firewall
• Port filtering at access device
• Firewall behind access device (ie. Extended
  access list)

MetaFrame XP Farm
80
WLAN Client
STA
WAP
80
443
1494
External Client
4
Connections
5
Packet filtering (port based)

• Prevent data from reaching unintended services
• Restrict data flow based on destination ports
• Control services that respond to requests
• TCP port
• UDP port
• IP protocol number

6
Many links to consider.
MetaFrame XP Server Farm
Internet Explorer and ICA Client
Secure Gateway Proxy
Secure Gateway
Gateway Client
Internal Web Servers
MetaFrame Secure Access Manager
Authorization Service STA
Logon Agent
HTTP(S)
3rd Party Auth
ICA/Secure ICA
7
Web Interface

• First things First!
• Mandate authentication occurs over SSL
• IIS Example (IISAdmin)

8
Web Interface / Secure Access Manager
9
Web Interface / Secure Access Manager

• Web server hardening
• IIS lockdown tool
• Must enable ASP (advanced)
• Remove sample directories from web server
• Move webroot from default location
• CTX102001
• Enforce password policies
• Expire passwords
• Alphanumeric combinations
• Remove IIS Anonymous user account
• Create account to replace
• Disable Pass-through authentication

10
Web Interface / Secure Access Manager

• Disable unused services
• Remove unnecessary components
• Apply latest service packs
• Free tool HFNETCHK to review installed Hotfixes
• Disable default admin shares (C, Admin, etc.)
• Unbind NetBIOS from all adapters
• Disable NetBIOS over TCP/IP
• Use Port Filtering!
• 80 or 443 for the STA
• 443 for Secure Gateway/Web Interface or Logon
  Agent
• 1494, 80 and/or 443 for MetaFrame XP Presentation
  servers
• Use extended access lists where possible

11
Secure Gateway
12
(No Transcript)
13
SSL/TLS Support

• SSL V3.0 and TLS V1.0 secure protocols supported
• SSL-Secured connections may now include
• Client browser to Web Interface server
• Web Interface to MetaFrame XML Service
• Web Interface to Secure Ticket Authority
• Secure Gateway to Secure Gateway Proxy
• Secure Gateway to Authentication Service
• Secure Gateway to Secure Ticket Authority
• Secure Gateway to Logon Agent
• Logon Agent to Authentication Service

14
Web Interface
15
SSL Certificate
Issued to Internet FQDN, not necessarily the
server name
Dates are valid
Corresponding private key
16
Certificate Placement
17
Single DMZ
MetaFrame XP Presentation Server Farm
Internet Explorer and ICA Client
Secure GatewayService
Gateway Client
Internal Web Servers
WebInterface
MetaFrame Secure Access Manager
Authentication Service STA
Logon Agent
Optional 3rd Party Auth
HTTP(S)
ICA
18
Dual Stage DMZ
19
MMC Management Tools
20
MMC Management Tools Continued.

• Secure access to all of your content
• Files
• Internal web content
• Published applications
• Management console
• Log connections
• Real time counters

21
MMC Management Tools Continued.

• Real time
• User name
• Domain
• Server connected
• Bytes transferred
• Connection time
• Connection date

22
MMC Management Tools Continued.

• Permon Statistics
• Total failed.
• Ticket validations
• Validations
• Connections
• ACL rejected
• and more

23
Securing connections continued.

• Best Practices for Securing a Secure Gateway
  Deployment
• CTX19376