XenApp 5 Security Standards and Deployment Scenarios
|
|
- Tyler Dean
- 6 years ago
- Views:
Transcription
1 XenApp 5 Security Standards and Deployment Scenarios :22:07 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement
2 Contents XenApp 5 Security Standards and Deployment Scenarios... 4 XenApp 5 Security Standards and Deployment Scenarios... 5 Security Considerations in a XenApp Deployment... 6 Country-Specific Government Information... 7 FIPS 140 and XenApp... 8 TLS/SSL Protocols Government Ciphersuites IP Security Citrix Password Manager Smart Cards Smart Card Support Kerberos Authentication Citrix XenApp Plugins Standards Summary Virtual Channels Additional XenApp Security Features ICA Encryption Using SecureICA Authentication for the Web Interface Using RSA SecurID Authentication for the Web Interface Using SafeWord Deployment Samples Sample A Using the SSL Relay How the Components in Sample Deployment A Interact FIPS 140 Validation in Sample Deployment A TLS/SSL Support in Sample Deployment A Supported Ciphersuites for Sample Deployment A Certificates and Certificate Authorities in Sample Deployment A 31 Smart Card Support in Sample Deployment A Plugins Used in Sample Deployment A Sample B Using Secure Gateway (Single-Hop)
3 How the Components in Sample Deployment B Interact IPSec in Sample Deployment B FIPS 140 Validation in Sample Deployment B TLS/SSL Support in Sample Deployment B Supported Ciphersuites for Sample Deployment B Certificates and Certificate Authorities in Sample Deployment B 42 Smart Card Support in Sample Deployment B Plugins Used in Sample Deployment B Sample C Using Secure Gateway (Double-Hop) How the Components in Sample Deployment C Interact IPSec in Sample Deployment C FIPS 140 Validation in Sample Deployment C TLS/SSL Support in Sample Deployment C Supported Ciphersuites for Sample Deployment C Certificates and Certificate Authorities in Sample Deployment C 52 Smart Card Support in Sample Deployment C Plugins Used in Sample Deployment C Sample D Using the SSL Relay and the Web Interface How the Components in Sample Deployment D Interact FIPS 140 Validation in Sample Deployment D TLS/SSL Support in Sample Deployment D Supported Ciphersuites for Sample Deployment D Certificates and Certificate Authorities in Sample Deployment D 61 Smart Card Support in Sample Deployment D Plugins Used in Sample Deployment D Sample E Using Password Manager and Secure Gateway (Single-Hop) How the Components in Sample Deployment E Interact IPSec in Sample Deployment E FIPS 140 Validation in Sample Deployment E TLS/SSL Support in Sample Deployment E Supported Ciphersuites for Sample Deployment E Certificates and Certificate Authorities in Sample Deployment E 72 Smart Card Support in Sample Deployment E Plugins Used in Sample Deployment E
4 XenApp 5 Security Standards and Deployment Scenarios Citrix products offer the security specialist a wide range of features for securing a XenApp system according to officially recognized standards. Security standards as they apply to Citrix XenApp 5.0 for Microsoft Windows Server 2003 and Citrix XenApp 5.0 for Microsoft Windows Server 2008 are discussed here. These topics provide an overview of the standards that apply to XenApp deployments and describe the issues involved in securing communications across a set of sample XenApp deployments. For more information about the details of the individual security features, refer to the relevant product or component documentation. When deploying XenApp 5.0 for Windows Server within large organizations, particularly in government environments, security standards are an important consideration. For example, many government bodies in the United States and elsewhere specify a preference or requirement for applications to be compliant with FIPS 140. These topics address common issues related to such environments. These topics are designed for security specialists, systems integrators, and consultants, particularly those working with government organizations worldwide. Note: Later Citrix product and feature versions may be available and may be supported on different operating system versions; Citrix XenApp 5 security test configurations used the versions noted in these topics. 4
5 Security Considerations in a XenApp Deployment XenApp provides server-based computing to local and remote users through the Independent Computing Architecture (ICA) protocol developed by Citrix. ICA is the communication protocol by which servers and client devices exchange data in a XenApp environment. ICA is optimized to enhance the delivery and performance of this exchange, even on low bandwidth connections. As an application runs on the server, XenApp intercepts the application s display data and uses the ICA protocol to send this data (on standard network protocols) to the plugin software running on the user s client device. When the user types on the keyboard or moves and clicks the mouse, the plugin software sends the data generated for processing by the application running on the server. ICA requires minimal client workstation capabilities and includes error detection and recovery, encryption, and data compression. A server farm is a collection of XenApp servers that you can manage (from the Access Management Console) as a single entity. A server can belong to only one farm, but a farm can include servers from more than one domain. The design of server farms has to balance the goal of providing users with the fastest possible application access with that of achieving the required degree of centralized administration and network security. Note that in XenApp deployments that include the Web Interface, communication between the server running the Web Interface and client devices running Web browsers (and plugin software) takes place using HTTP. In a XenApp deployment, administrators can configure encryption using either of the following: SSL Relay, a component that is integrated into XenApp Secure Gateway, a separate component provided on the XenApp installation media 5
6 Security Considerations in a XenApp Deployment XenApp provides server-based computing to local and remote users through the Independent Computing Architecture (ICA) protocol developed by Citrix. ICA is the communication protocol by which servers and client devices exchange data in a XenApp environment. ICA is optimized to enhance the delivery and performance of this exchange, even on low bandwidth connections. As an application runs on the server, XenApp intercepts the application s display data and uses the ICA protocol to send this data (on standard network protocols) to the plugin software running on the user s client device. When the user types on the keyboard or moves and clicks the mouse, the plugin software sends the data generated for processing by the application running on the server. ICA requires minimal client workstation capabilities and includes error detection and recovery, encryption, and data compression. A server farm is a collection of XenApp servers that you can manage (from the Access Management Console) as a single entity. A server can belong to only one farm, but a farm can include servers from more than one domain. The design of server farms has to balance the goal of providing users with the fastest possible application access with that of achieving the required degree of centralized administration and network security. Note that in XenApp deployments that include the Web Interface, communication between the server running the Web Interface and client devices running Web browsers (and plugin software) takes place using HTTP. In a XenApp deployment, administrators can configure encryption using either of the following: SSL Relay, a component that is integrated into XenApp Secure Gateway, a separate component provided on the XenApp installation media 6
7 Country-Specific Government Information The following topics are of particular relevance to XenApp installations in Australia, the United Kingdom, and the United States: FIPS 140 and XenApp TLS/SSL Protocols Smart Cards Smart Card Support Kerberos Authentication In addition, for information on Common Access Cards (of particular relevance to installations in the United States), see Smart Card Support. For more information about issues specific to your country, contact your local Citrix representative. 7
8 FIPS 140 and XenApp Federal Information Processing Standard 140 (FIPS 140) is a U.S. Federal Government standard that specifies a benchmark for implementing cryptographic software. It provides best practices for using cryptographic algorithms, managing key elements and data buffers, and interacting with the operating system. An evaluation process that is administered by the National Institute of Standards and Technology (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) allows encryption product vendors to demonstrate the extent to which they comply with the standard and, thus, the trustworthiness of their implementation. FIPS 140-1, published in 1994, established requirements for cryptographic modules to provide four security levels that allowed cost-effective solutions appropriate for different degrees of data sensitivity and different application environments. FIPS 140-2, which superceded FIPS in 2002, incorporated changes in standards and technology since FIPS 140-3, which is still in draft, adds an additional security level and incorporates new security features that reflect recent advances in technology. Some U.S. Government organizations restrict purchases of products that contain cryptography to those that use FIPS 140-validated modules. In the U.K., guidance published by the Communications-Electronics Security Group (CESG) recommends the use of FIPS 140-approved products where the required use for information is below the RESTRICTED classification, but is still sensitive (that is, data classified PRIVATE). The security community at large values products that follow the guidelines detailed in FIPS 140 and the use of FIPS 140-validated cryptographic modules. To implement secure access to application servers and to meet the FIPS 140 requirements, Citrix products can use cryptographic modules that are FIPS 140 validated in Windows implementations of secure TLS or SSL connections. The following XenApp components can use cryptographic modules that are FIPS 140 validated: XenApp Citrix XenApp Plugin for Hosted Apps for Windows (including the Citrix XenApp plugin, the Citrix XenApp Web Plugin, and Program Neighborhood) Web Interface SSL Relay Secure Gateway for Windows Where the client and server components (listed above) communicate with the TLS or SSL connection enabled, the cryptographic modules that are used are provided by the Microsoft Windows operating system. These modules use the Microsoft Cryptography Application Programming Interface (CryptoAPI) and are FIPS 140 validated. 8
9 FIPS 140 and XenApp Note: On both Windows Vista with Service Pack 1 and Windows Server 2008, you must apply Microsoft hotfix kb ( to ensure that the random number generator used within CryptoAPI and, therefore, the underlying operating system is FIPS 140 compliant. The ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, defined in Internet RFC 2246 ( uses RSA key exchange and TripleDES encryption. This is achieved as follows: According to the Microsoft documentation ( FIPS-compliant systems that use FIPS 140-certified cryptomodules can be deployed by following a prescribed set of steps. These steps include setting a particular FIPS local policy flag. As noted in the Microsoft documentation referenced above, not all Microsoft components and products check the FIPS local policy flag. Refer to the Microsoft documentation for instructions on how to configure these components and products to behave in a FIPS-compliant manner. Similarly, Citrix components do not check the FIPS local policy flag. Instead, these components must be configured to behave in a FIPS-compliant manner. Specifically, Citrix components that use TLS must be configured to use government ciphersuites. This will cause the component to select one of the following ciphersuites: RSA_WITH_3DES_EDE_CBC_SHA [RFC 2246] RSA_WITH_AES_128_CBC_SHA [FIPS 197, RFC 3268] RSA_WITH_AES_256_CBC_SHA [FIPS 197, RFC 3268] Given the accuracy of the above statements, and assuming that all these steps are followed, the resulting XenApp configuration will use FIPS 140 cryptomodules in a FIPS-compliant manner. For a list of currently validated FIPS 140 modules, see For more information about FIPS 140 and NIST, visit the NIST Web site at 9
10 TLS/SSL Protocols You can secure communications between client devices and servers using either the Transport Layer Security (TLS) 1.0 or Secure Sockets Layer (SSL) 3.0 protocols. These protocols are collectively referred to TLS/SSL. Both TLS and SSL are open protocols that provide data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. Note that both the SSL Relay and Secure Gateway support TLS and SSL. SSL is an open, nonproprietary security protocol for TCP/IP connections. If you want to use the SSL Relay to secure communications between client devices and servers within the server farm, you must install the SSL Relay on each server in the farm. Alternatively, you can use Secure Gateway. Both the SSL Relay and Secure Gateway implementations are discussed in this documentation. TLS, which is also an open standard, is the latest, standardized version of the SSL protocol. The SSL Relay also supports TLS; you can configure the SSL Relay, Secure Gateway, and the Web Interface to use TLS. Support for TLS Version 1.0 is included in XenApp 5.0 and Password Manager 4.6. Because there are only minor differences between TLS and SSL, the server certificates in your installation can be used for both TLS and SSL implementations. 10
11 Government Ciphersuites You can configure XenApp, the Web Interface, and Secure Gateway to use government-approved cryptography to protect "sensitive but unclassified" data by using the applicable ciphersuite: RSA_WITH_3DES_EDE_CBC_SHA supports RSA key exchange and TripleDES encryption, as defined in Internet RFC 2246 ( RSA_WITH_AES_128_CBC_SHA supports RSA key exchange with Advanced Encryption Standard (AES) and 128-bit keys for TLS connections, as defined in FIPS and Internet RFC 3268 ( For more information about AES, see RSA_WITH_AES_256_CBC_SHA supports RSA key exchange with AES and 256-bit keys for TLS connections, as defined in FIPS 197 and RFC
12 IP Security IP Security (IPSec) is a set of standard extensions to the Internet Protocol (IP) that provides authenticated and encrypted communications with data integrity and replay protection. IPSec is a network-layer protocol set, so higher level protocols such as Citrix ICA can use it without modification. Although such sample deployments are outside the scope of this document, you can use IPSec to secure a XenApp deployment within a virtual private network (VPN) environment. IPSec is described in Internet RFC Microsoft Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003 have built-in support for IPSec. 12
13 Citrix Password Manager Citrix Password Manager increases application security for all XenApp applications, allowing organizations to centralize password management while providing users with fast sign-on access to Web, Windows, and host-based applications. Password Manager is available as a standalone product and is included in XenApp Platinum Edition. 13
14 Smart Cards You can use smart cards with XenApp, supported XenApp plugins, the Web Interface, and Password Manager to provide secure access to applications and data. Using smart cards simplifies the authentication process while enhancing logon security. XenApp supports smart card authentication to published applications, including smart card-enabled applications such as Microsoft Outlook. In a business network, smart cards are an effective implementation of public key technology and can be used for the following purposes: Authenticating users to networks and computers Securing channel communications over a network Securing content using digital signatures If you are using smart cards for secure network authentication, your users can authenticate to applications and content published on your server farms. In addition, smart card functionality within these published applications is also supported. For example, a published Microsoft Outlook application can be configured to require that users insert a smart card into a smart card reader attached to the client device in order to log on to a XenApp server. After users are authenticated to the application, they can digitally sign using certificates stored on their smart cards. Citrix supports the use of Personal Computer Smart Card (PC/SC)-based cryptographic smart cards. These cards include support for cryptographic operations such as digital signatures and encryption. Cryptographic cards are designed to allow secure storage of private keys such as those used in Public Key Infrastructure (PKI) security systems. These cards perform the actual cryptographic functions on the smart card itself, meaning that the private key and digital certificates never leave the card. In addition, you can use two-factor authentication for increased security. Instead of merely presenting the smart card (one factor) to conduct a transaction, a user-defined PIN (a second factor) known only to the user, is used to prove that the cardholder is the rightful owner of the smart card. 14
15 Smart Card Support Citrix continues testing various smart cards to address smart card usage and compatibility issues with XenApp. XenApp supports the Common Access Card in a deployment that includes the Citrix XenApp Plugin for Hosted Apps for Windows. Contact your Common Access Card vendor or Citrix representative for more information about supported versions of Common Access Card hardware and software. Citrix tests smart cards using certificates from common certificate authorities such as those supported by Microsoft. If you have any concerns regarding your certificate authority and compatibility with XenApp, contact your local Citrix representative. 15
16 Kerberos Authentication Kerberos is an authentication protocol. Version 5 of this protocol was first standardized as Internet RFC Many operating systems, including Microsoft Windows 2000 and later, support Kerberos as a standard feature. XenApp extends the use of Kerberos. When users log on to a client device, they can connect to XenApp without needing to authenticate again. The user s password is not transmitted to XenApp; instead, authentication tokens are exchanged using the Generic Security Services API (GSSAPI), which was first standardized in Internet RFC This authentication exchange is performed within a Citrix Independent Computing Architecture (ICA) virtual channel and does not require any additional protocols or ports. The authentication exchange is independent of the logon method, so it can be used with passwords, smart cards, or biometrics. To use Kerberos authentication with XenApp, both the client and server must be appropriately configured. You can also use Microsoft Active Directory Group Policy to selectively disable Kerberos authentication for specific users and servers. For information on implementing Kerberos Authentication in a XenApp environment, see Knowledge Center article CTX
17 Citrix XenApp Plugins With the Citrix XenApp Plugin for Hosted Apps installed on their client devices, users can work with applications running on XenApp servers. Users can access these applications from virtually any type of client device over many types of network connection, including LAN, WAN, dial-up, and direct asynchronous connections. Because the applications are not downloaded to the client devices (as with the more traditional network architecture), application performance is not limited by bandwidth or device performance. Citrix XenApp Plugins are available for Windows, Macintosh, Linux, UNIX, and Windows CE operating systems, and the Java Runtime Environment. Additionally, you can use the Citrix XenApp Web Plugin with Web browsers that support ActiveX controls or Netscape plug-ins. Citrix XenApp Plugins for Windows use cryptographic modules provided by the operating system. Other plugins, including the Client for Java, contain their own cryptographic modules. The Client for Java can, therefore, be used on older Windows operating systems that do not support strong encryption. The table in Standards Summary lists the latest versions of the available plugins. The table specifies whether each plugin is FIPS 140 compliant, supports TLS, includes smart card support, uses government ciphersuites, supports certificate revocation checking, and supports Kerberos authentication. Note that certificate revocation checking is applicable to plugins running on Microsoft Windows 2000, Windows XP, and Windows Vista only. Where the latest version of a plugin does not completely supersede a previous version (for example, a particular operating system may be supported only by an earlier plugin version), the earlier version of the plugin is also listed. 17
18 Standards Summary The following table summarizes the standards relevant to the various XenApp plugins: Plugin type FIPS 140 TLS Triple DES AES CRL check Smart card Kerberos Citrix XenApp plugin (Win32) 11.x Citrix XenApp Web Plugin (Win32) 11.x Program Neighborhood (Win32) 11.x Client for Windows CE for Windows-Based Terminals 10.x Client for Windows CE for Handheld and Pocket PCs 10.x *¹ * * * * * * *¹ * * * * * * *¹ * * * * * * *² * * * *² * * * Client for Macintosh 10.x * * * * * Client for Linux 10.x * * * Client for Java 9.x * * * * *³ Client for Sun Solaris 8.x * * * Notes: ¹ These plugins inherit FIPS 140 compliance from the base operating system, Windows. ² These plugins inherit FIPS 140 compliance from the base operating system, Windows CE. ³ Kerberos authentication is not supported when the Client for Java is running on Mac OS X client devices. The table below shows the certificate source for plugins that support at least one of the security features listed in the table above. Plugins marked OS use certificates stored in the operating system certificate store, those marked Plugin use certificates bundled with the plugin, and plugins marked JRE use certificates stored in the Java keystore. Plugin type Citrix XenApp plugin (Win32) 11.x Citrix XenApp Web Plugin (Win32) 11.x Program Neighborhood (Win32) 11.x Client for Windows CE for Windows-Based Terminals 10.x Root certificate source OS OS OS OS 18
19 Standards Summary Client for Windows CE for Handheld and Pocket PCs 10.x Client for Macintosh 10.x Client for Linux 10.x Client for Java 9.x Client for Sun Solaris 8.x OS OS Plugin JRE (Java 1.4.x) JRE or OS (Java 1.5.x or later) Plugin 19
20 Virtual Channels The following table shows which ICA virtual channels (or combination of virtual channels) can be used with XenApp for authentication and application signing or for encryption methods. Note: This table applies only to XenApp, not to Password Manager. Smart card authentication Biometric¹ authentication Password authentication Application signing/encryption Smart card virtual channel * * * Kerberos virtual channel * * * ¹ Third-party equipment is required for biometric authentication. Core ICA protocol (no virtual channel) 20
21 Additional XenApp Security Features The following products can be used with XenApp to provide additional security: SecureICA RSA SecurID Aladdin SafeWord The topics below provide a brief overview of how these products can be used with XenApp. However, these additional security measures are not included in the sample deployments. For more information about the features of these products, refer to the relevant product documentation. 21
22 ICA Encryption Using SecureICA ICA encryption with SecureICA is integrated into XenApp. With SecureICA, you can use up to 128-bit encryption to protect the information sent between a XenApp server and users client devices. However, it is important to note that SecureICA does not use FIPS 140-compliant algorithms. If this is an issue, you can configure XenApp servers and plugins to avoid using SecureICA. 22
23 Authentication for the Web Interface Using RSA SecurID You can use the third-party product RSA SecurID as an authentication method for the Web Interface running on Internet Information Services. If RSA SecurID is enabled, users must log on using their credentials (user name, password, and domain) plus their SecurID PASSCODE. The PASSCODE is made up of a PIN followed by a tokencode (the number displayed on the user s RSA SecurID token). RSA SecurID supports authentication on both XenApp and Password Manager. 23
24 Authentication for the Web Interface Using SafeWord You can use the third-party product Aladdin SafeWord as an authentication method for the Web Interface running on Internet Information Services. If SafeWord is enabled, users must log on using their credentials (user name, password, and domain) plus their SafeWord passcode. The passcode is made up of the code displayed on the user s SafeWord token, optionally followed by a PIN. SafeWord supports authentication on XenApp, but not on Password Manager. 24
25 Deployment Samples To make a XenApp deployment FIPS 140 compliant, you need to consider each communication channel within the installation. The following deployment samples show how users can connect to XenApp servers with different configurations of components and firewalls. In particular, the samples provide general guidance on how to make each communication channel secure using TLS/SSL so that the system as a whole is FIPS 140 compliant. Note: Secure Gateway and the SSL Relay support both TLS and SSL-based encryption. Your choice of method is largely determined by which topology best meets the needs of your organization s security policies. The deployment samples described in this document are as follows: Sample A Using the SSL Relay Sample B Using Secure Gateway (Single-Hop) Sample C Using Secure Gateway (Double-Hop) Sample D Using the SSL Relay and the Web Interface Sample E Using Password Manager and Secure Gateway (Single-Hop) 25
26 Sample A Using the SSL Relay This deployment uses the SSL Relay to provide end-to-end TLS/SSL encryption between the XenApp server and the plugin. This diagram shows sample deployment A, which uses the SSL Relay. The deployment uses XenApp 5.0 for Microsoft Windows Server Users run the Citrix XenApp plugin 11.x (32-bit Windows) on their client devices. 26
27 How the Components in Sample Deployment A Interact Use TLS/SSL to secure the connections between client devices and the XenApp servers. To do this, deploy TLS/SSL-enabled plugins to users and configure the SSL Relay on the XenApp servers. This deployment provides end-to-end encryption of the communication between the client device and the XenApp servers. Both the SSL Relay and the appropriate server certificate must be installed and configured on each server in the farm. The SSL Relay operates as an intermediary in communication between client devices and the XML Service on each server. Each client device authenticates the SSL Relay by checking the SSL Relay s server certificate against a list of trusted certificate authorities. After this authentication, the client device and the SSL Relay negotiate requests in encrypted form. The SSL Relay decrypts the requests and passes them to the XenApp servers. All information sent to the client device from the servers passes through the SSL Relay, which encrypts the data and forwards it to the client device to be decrypted. Message integrity checks verify that each communication has not been tampered with. This diagram shows a detailed view of sample deployment A. 27
28 FIPS 140 Validation in Sample Deployment A In this deployment, the SSL Relay uses the Microsoft cryptographic service providers (CSPs) and associated cryptographic algorithms available in the Microsoft Windows CryptoAPI to encrypt and decrypt communication between client devices and servers. For more information about the FIPS 140 validation of the CSPs, see the Microsoft documentation. For Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003, TLS/SSL support and the supported ciphersuites can also be controlled using the following Microsoft security option: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing For more information, see the documentation for your operating system. 28
29 TLS/SSL Support in Sample Deployment A You can configure XenApp to use either the Transport Layer Security 1.0 protocol or the Secure Sockets Layer 3.0 protocol. In sample deployment A, the components are configured for TLS. For more information about configuring TLS, see the Citrix plugin documentation and the XenApp Administration documentation for the SSL Relay Configuration Tool. When using the SSL Relay Configuration Tool, ensure that TLS is selected on the Connection tab. 29
30 Supported Ciphersuites for Sample Deployment A In this deployment, XenApp can be configured to use government-approved cryptography, such as the ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, to protect sensitive but unclassified data. For more information about configuring government ciphersuites, see: The XenApp Administration documentation for the SSL Relay Configuration Tool. When using the SSL Relay Configuration Tool, ensure that only GOV is selected on the Ciphersuite tab. The Citrix plugin documentation. Alternatively, for TLS connections, you can use AES as defined in FIPS 197. The government ciphersuites are RSA_WITH_AES_128_CBC_SHA for 128-bit keys and RSA_WITH_AES_256_CBC_SHA for 256-bit keys. As defined in Internet RFC these ciphersuites use RSA key exchange and AES encryption. For more information about AES, see 30
31 Certificates and Certificate Authorities in Sample Deployment A Citrix products use standard Public Key Infrastructure (PKI) as a framework and trust infrastructure. In sample deployment A, a separate server certificate is configured for each XenApp server on which the SSL Relay is used. A root certificate is required for each client device. For more information, see the XenApp Administration documentation. 31
32 Smart Card Support in Sample Deployment A In this deployment, you can configure XenApp to provide smart card authentication. To do this, you must configure authentication with Microsoft Active Directory and use the Microsoft Certificate Authority. 32
33 Plugins Used in Sample Deployment A In this deployment, users access their applications using the Citrix XenApp plugin. For more information about the security features and capabilities of Citrix XenApp Plugins, see Citrix XenApp Plugins. 33
34 Sample B Using Secure Gateway (Single-Hop) This deployment uses Secure Gateway in a single-hop configuration to provide TLS/SSL encryption between a secure Internet gateway server and an SSL-enabled plugin, combined with encryption of the HTTP communication between the Web browser and the Web server. Additionally, you can secure ICA traffic within the internal network using IPSec. This diagram shows sample deployment B, which uses Secure Gateway in a single-hop configuration. The following table lists the components of the deployment and the operating systems required for the servers and client devices. XenApp farm Components XenApp 5.0 for Microsoft Windows Server SSL Relay enabled Secure Ticket Authority installed on XenApp server Operating systems Windows Server 2008 Windows Server 2003 with Service Pack 2 34
35 Sample B Using Secure Gateway (Single-Hop) Web server Web Interface for Internet Information Services Windows Server 2008 Windows Server 2003 with Service Pack 2.NET Framework 3.5 or 2.0 (IIS 6.0 only) Secure Gateway server Users client devices Visual J#.NET 2.0 Second Edition Secure Gateway 3.1 for Windows Windows Server 2008 Citrix XenApp Plugin for Hosted Apps for Windows 11.x TLS-enabled Web browser Windows Server 2003 with Service Pack 2 Windows Vista Windows XP Professional 35
36 How the Components in Sample Deployment B Interact Use TLS to secure the connections between client devices and Secure Gateway. To do this, deploy TLS/SSL-enabled plugins and configure Secure Gateway at the network perimeter, typically in a demilitarized zone (DMZ). Secure the connections between users Web browsers and the Web Interface using HTTPS. Additionally, secure communication between the Web Interface and the XenApp servers using TLS. This diagram shows a detailed view of sample deployment B.1. In this deployment, Secure Gateway removes the need to publish the address of every XenApp server in the farm and provides a single point of encryption and access to the farm. Secure Gateway does this by providing a gateway that is separate from the XenApp servers and reduces the issues for firewall traversal to a widely accepted port for ICA traffic in and out of the firewalls. Set against the increased scalability of sample deployment B is the fact that ICA communication is encrypted only between client devices and Secure Gateway. ICA communication between Secure Gateway and the XenApp servers is not encrypted. Note that the SSL Relay in sample deployment B is used to encrypt communication between the Web Interface and the XML Service running on the XenApp servers. Secure Gateway communicates with the XenApp servers directly, so the SSL Relay is not used for communication between Secure Gateway and the server farm. To comply with FIPS 140, secure the communication between Secure Gateway and the server farm using IPSec, as shown in sample deployment B.2. This diagram shows a detailed view of sample deployment B.2, which includes IPSec. 36
37 How the Components in Sample Deployment B Interact 37
38 IPSec in Sample Deployment B To enable IPSec to secure communication between Secure Gateway and the XenApp server farm, you must configure IPSec on each server, including the Secure Gateway server. IPSec is configured using the local security settings (IP security policies) for each server. In sample deployment B.2, IPSec is enabled on the requisite servers and the security method is configured for 3DES encryption and SHA-1 integrity to meet FIPS 140 requirements. 38
39 FIPS 140 Validation in Sample Deployment B In this deployment, the SSL Relay uses the Microsoft cryptographic service providers and associated cryptographic algorithms available in the Microsoft Windows CryptoAPI to encrypt and decrypt communication between client devices and servers. For more information about the FIPS 140 validation of the CSPs, see the Microsoft documentation. For Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003, TLS/SSL support and the supported ciphersuites can also be controlled using the following Microsoft security option: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing For more information, see the documentation for your operating system. 39
40 TLS/SSL Support in Sample Deployment B You can configure Secure Gateway and the Web Interface to use either the Transport Layer Security 1.0 protocol or the Secure Sockets Layer 3.0 protocol. In sample deployment B, the components are configured for TLS. For more information about configuring TLS, see the Web Interface, Secure Gateway for Windows, and Citrix plugin documentation. 40
41 Supported Ciphersuites for Sample Deployment B In this deployment, Secure Gateway and the Web Interface can be configured to use government-approved cryptography, such as the ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, to protect sensitive but unclassified data. For more information about configuring government ciphersuites, see the Secure Gateway for Windows and Citrix plugin documentation. Alternatively, for TLS connections, you can use AES as defined in FIPS 197. The government ciphersuites are RSA_WITH_AES_128_CBC_SHA for 128-bit keys and RSA_WITH_AES_256_CBC_SHA for 256-bit keys. As defined in Internet RFC these ciphersuites use RSA key exchange and AES encryption. For more information about AES, see 41
42 Certificates and Certificate Authorities in Sample Deployment B Citrix products use standard Public Key Infrastructure (PKI) as a framework and trust infrastructure. In sample deployment B, one server certificate is configured on Secure Gateway and one on the Web Interface. A certificate is also configured on each XenApp server. For more information, see the relevant product documentation. 42
43 Smart Card Support in Sample Deployment B In this deployment, you can configure XenApp to provide smart card authentication. To do this, you must configure authentication with Microsoft Active Directory and use the Microsoft Certificate Authority. 43
44 Plugins Used in Sample Deployment B In this deployment, users access their applications using the Citrix XenApp plugin. For more information about the security features and capabilities of Citrix XenApp Plugins, see Citrix XenApp Plugins. 44
45 Sample C Using Secure Gateway (Double-Hop) This deployment uses Secure Gateway in a double-hop configuration to provide TLS/SSL encryption between a secure Internet gateway server and an SSL-enabled plugin, combined with encryption of the HTTP communication between Secure Gateway and the Web browser, the Web Interface, and the Secure Gateway proxy. Additionally, you can secure ICA traffic within the internal network using IPSec. This diagram shows sample deployment C, which uses Secure Gateway in a double-hop configuration. The following table lists the components of the deployment and the operating systems required for the servers and client devices. XenApp farm Components XenApp 5.0 for Microsoft Windows Server SSL Relay enabled Secure Ticket Authority installed on XenApp server Operating systems Windows Server 2008 Windows Server 2003 with Service Pack 2 45
46 Sample C Using Secure Gateway (Double-Hop) Web server Web Interface for Internet Information Services Windows Server 2008 Windows Server 2003 with Service Pack 2.NET Framework 3.5 or 2.0 (IIS 6.0 only) Secure Gateway Service Secure Gateway Proxy Users client devices Visual J#.NET 2.0 Second Edition Secure Gateway 3.1 for Windows Windows Server 2008 Citrix XenApp Plugin for Hosted Apps for Windows 11.x TLS-enabled Web browser Windows Server 2003 with Service Pack 2 Windows Vista Windows XP Professional 46
47 How the Components in Sample Deployment C Interact Here, the DMZ is divided into two sections by an additional firewall. The server running the Secure Gateway Service is located in the first section of the DMZ. The Web Interface and the Secure Gateway Proxy are located in the second section. Users connect to the Secure Gateway Service located in the first section of the DMZ. Use TLS to secure the connections between client devices and Secure Gateway. To do this, deploy TLS/SSL-enabled plugins and configure Secure Gateway at the network perimeter, typically in a DMZ. This diagram shows a detailed view of sample deployment C. In this deployment, Secure Gateway removes the need to publish the address of every XenApp server in the farm and provides a single point of encryption and access to the farm. Secure Gateway does this by providing a gateway that is separate from the XenApp servers and reduces the issues for firewall traversal to a widely accepted port for ICA traffic in and out of the firewalls. To comply with FIPS 140, secure the communication between the Secure Gateway Proxy and the server farm using IPSec. 47
48 IPSec in Sample Deployment C To enable IPSec to secure communication between the Secure Gateway Proxy and the XenApp server farm, you must configure IPSec on each server, including the Secure Gateway Proxy. IPSec is configured using the local security settings (IP security policies) for each server. In sample deployment C, IPSec is enabled on the requisite servers and the security method is configured for 3DES encryption and SHA-1 integrity to meet FIPS 140 requirements. 48
49 FIPS 140 Validation in Sample Deployment C In this deployment, the SSL Relay uses the Microsoft cryptographic service providers and associated cryptographic algorithms available in the Microsoft Windows CryptoAPI to encrypt and decrypt communication between client devices and servers. For more information about the FIPS 140 validation of the CSPs, see the Microsoft documentation. For Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003, TLS/SSL support and the supported ciphersuites can also be controlled using the following Microsoft security option: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing For more information, see the documentation for your operating system. 49
50 TLS/SSL Support in Sample Deployment C You can configure Secure Gateway and the Web Interface to use either the Transport Layer Security 1.0 protocol or the Secure Sockets Layer 3.0 protocol. In sample deployment C, the components are configured for TLS. For more information about configuring TLS, see the Web Interface, Secure Gateway for Windows, and Citrix plugin documentation. 50
51 Supported Ciphersuites for Sample Deployment C In this deployment, Secure Gateway, the Secure Gateway Proxy, and the Web Interface can be configured to use government-approved cryptography, such as the ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, to protect sensitive but unclassified data. For more information about configuring government ciphersuites, see the Web Interface, Secure Gateway for Windows, and Citrix plugin documentation. Alternatively, for TLS connections, you can use AES as defined in FIPS 197. The government ciphersuites are RSA_WITH_AES_128_CBC_SHA for 128-bit keys and RSA_WITH_AES_256_CBC_SHA for 256-bit keys. As defined in Internet RFC these ciphersuites use RSA key exchange and AES encryption. For more information about AES, see 51
52 Certificates and Certificate Authorities in Sample Deployment C Citrix products use standard Public Key Infrastructure (PKI) as a framework and trust infrastructure. In sample deployment C, one server certificate is configured on Secure Gateway, one on the Secure Gateway Proxy, and one on the Web Interface. A certificate is also configured on each XenApp server. For more information, see the relevant product documentation. 52
53 Smart Card Support in Sample Deployment C Smart card authentication is not supported in sample deployment C. You cannot configure smart card support when Secure Gateway is positioned between the client devices and the Web Interface to provide a single point of access to the server farm. For more information, see the Secure Gateway for Windows documentation. 53
54 Plugins Used in Sample Deployment C In this deployment, users access their applications using the Citrix XenApp plugin. For more information about the security features and capabilities of Citrix XenApp Plugins, see Citrix XenApp Plugins. 54
55 Sample D Using the SSL Relay and the Web Interface This deployment uses the SSL Relay and the Web Interface to encrypt the ICA and HTTP communication between the XenApp server and the Web server, combined with encryption of the HTTP communication between the Web browser and the Web server. This diagram shows sample deployment D, which uses the SSL Relay and the Web Interface. The following table lists the components of the deployment and the operating systems required for the servers and client devices. XenApp farm Components XenApp 5.0 for Microsoft Windows Server SSL Relay enabled Secure Ticket Authority installed on XenApp server Operating systems Windows Server 2008 Windows Server 2003 with Service Pack 2 55
56 Sample D Using the SSL Relay and the Web Interface Web server Users client devices Web Interface for Internet Information Services Citrix XenApp Plugin for Hosted Apps for Windows 11.x TLS-enabled Web browser Windows Server 2008 Windows Server 2003 with Service Pack 2.NET Framework 3.5 or 2.0 (IIS 6.0 only) Visual J#.NET 2.0 Second Edition Windows Vista Windows XP Professional 56
57 How the Components in Sample Deployment D Interact Use HTTPS to secure the connections between users Web browsers and the Web Interface. Secure the connection between the Web Interface and the SSL Relay using TLS. Additionally, use TLS to secure the connections between client devices and the SSL Relay. The SSL Relay operates as an intermediary in communication between client devices, the Web Interface, and the XML Service on each server. Each client device authenticates the SSL Relay by checking the SSL Relay s server certificate against a list of trusted certificate authorities. After this authentication, the client device and the SSL Relay negotiate requests in encrypted form. The SSL Relay decrypts the requests and passes them to the XenApp servers. All information sent to the client device from the servers passes through the SSL Relay, which encrypts the data and forwards it to the client device to be decrypted. Message integrity checks verify that each communication has not been tampered with. This diagram shows a detailed view of sample deployment D. 57
58 FIPS 140 Validation in Sample Deployment D In this deployment, the SSL Relay uses the Microsoft cryptographic service providers and associated cryptographic algorithms available in the Microsoft Windows CryptoAPI to encrypt and decrypt communication between client devices and servers. For more information about the FIPS 140 validation of the CSPs, see the Microsoft documentation. For Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003, TLS/SSL support and the supported ciphersuites can also be controlled using the following Microsoft security option: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing For more information, see the documentation for your operating system. 58
59 TLS/SSL Support in Sample Deployment D You can configure the SSL Relay and the Web Interface to use either the Transport Layer Security 1.0 protocol or the Secure Sockets Layer 3.0 protocol. In sample deployment D, the components are configured for TLS. For more information about configuring TLS, see: The XenApp Administration documentation for the SSL Relay Configuration Tool. When using the SSL Relay Configuration Tool, ensure that TLS is selected on the Connection tab. The Web Interface documentation. The Citrix plugin documentation. 59
60 Supported Ciphersuites for Sample Deployment D In this deployment, the SSL Relay and the Web Interface can be configured to use government-approved cryptography, such as the ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, to protect sensitive but unclassified data. For more information about configuring government ciphersuites, see: The XenApp Administration documentation for the SSL Relay Configuration Tool. When using the SSL Relay Configuration Tool, ensure that only GOV is selected on the Ciphersuite tab. The Web Interface documentation. The Citrix plugin documentation. Alternatively, for TLS connections, you can use AES as defined in FIPS 197. The government ciphersuites are RSA_WITH_AES_128_CBC_SHA for 128-bit keys and RSA_WITH_AES_256_CBC_SHA for 256-bit keys. As defined in Internet RFC these ciphersuites use RSA key exchange and AES encryption. For more information about AES, see 60
61 Certificates and Certificate Authorities in Sample Deployment D Citrix products use standard Public Key Infrastructure (PKI) as a framework and trust infrastructure. In sample deployment D, a separate server certificate is configured for each XenApp server on which the SSL Relay is used. For more information, see the XenApp Administration documentation. 61
62 Smart Card Support in Sample Deployment D In this deployment, you can configure XenApp to provide smart card authentication. To do this, you must configure authentication with Microsoft Active Directory and use the Microsoft Certificate Authority. 62
63 Plugins Used in Sample Deployment D In this deployment, users access their applications using the Citrix XenApp plugin. For more information about the security features and capabilities of Citrix XenApp Plugins, see Citrix XenApp Plugins. 63
64 Sample E Using Password Manager and Secure Gateway (Single-Hop) This deployment uses Password Manager and Secure Gateway in a single-hop configuration to enable single sign-on and TLS/SSL encryption between a secure Internet gateway server and an SSL-enabled plugin, combined with encryption of the HTTP communication between the Web browser and the Web server. Additionally, you can secure ICA traffic within the internal network using IPSec. For further information about the Password Manager components in this deployment, see the Password Manager documentation. This diagram shows sample deployment E, which uses Password Manager and Secure Gateway. Note: The Password Manager central store is hosted on two servers (primary and secondary), both running Active Directory. The secondary server is only used to provide failover for the primary server. The following table lists the components of the deployment and the operating systems required for the servers and client devices. Components Operating systems 64
65 Sample E Using Password Manager and Secure Gateway (Single-Hop) XenApp farm Password Manager Service Password Manager central store Web server XenApp 5.0 for Microsoft Windows Server SSL Relay not enabled Secure Ticket Authority installed on XenApp server Password Manager 4.6 with Service Pack 1 agent Password Manager 4.6 with Service Pack 1 Service Password Manager 4.6 with Service Pack 1 central store Web Interface for Internet Information Services Windows Server 2008 Windows Server 2003 with Service Pack 2 Java 1.4.x or later Windows Server 2008 (32-bit) Windows Server 2003 with Service Pack 2 (32-bit) Windows Server 2003 R2 (32-bit).NET Framework 2.0 Windows Server 2008 Windows Server 2003 with Service Pack 2 Windows Server 2008 Windows Server 2003 with Service Pack 2.NET Framework 3.5 or 2.0 (IIS 6.0 only) Secure Gateway server Users client devices Visual J#.NET 2.0 Second Edition Secure Gateway 3.1 for Windows Windows Server 2008 Citrix XenApp Plugin for Hosted Apps for Windows 11.x TLS-enabled Web browser Windows Server 2003 with Service Pack 2 Windows Vista Windows XP Professional 65
66 How the Components in Sample Deployment E Interact Use TLS to secure the connections between client devices and Secure Gateway. To do this, deploy TLS/SSL-enabled plugins and configure Secure Gateway at the network perimeter, typically in a demilitarized zone (DMZ). Secure the connections between users Web browsers and the Web Interface using HTTPS. Additionally, use TLS to secure communication between the Web Interface and the XenApp server farm, and between the farm and the Password Manager central store and Password Manager service. In this deployment, Secure Gateway removes the need to publish the address of every XenApp server in the farm and provides a single point of encryption and access to the farm. Secure Gateway does this by providing a gateway that is separate from the XenApp servers and reduces the issues for firewall traversal to a widely accepted port for ICA traffic in and out of the firewalls. Set against the increased scalability of sample deployment E is the fact that ICA communication is encrypted only between client devices and Secure Gateway. ICA communication between Secure Gateway and the XenApp servers is not encrypted. To comply with FIPS 140, secure the communication between Secure Gateway and the server farm using IPSec. This diagram shows a detailed view of sample deployment E. 66
67 How the Components in Sample Deployment E Interact 67
Citrix XenApp and XenDesktop 7.6 LTSR FIPS Sample Deployments
Citrix XenApp and XenDesktop 7.6 LTSR FIPS 140-2 Sample Deployments Table of contents Introduction... 2 Audience... 2 Security features introduced in XenApp and XenDesktop 7.6 LTSR... 2 FIPS 140-2 with
More informationCitrix XenApp and XenDesktop 7.15 LTSR FIPS Sample Deployments
Citrix XenApp and XenDesktop 7.15 LTSR FIPS 140-2 Sample Deployments Contents Introduction... 2 Audience... 2 Security features introduced in XenApp and XenDesktop 7.15 LTSR... 2 FIPS 140-2 with XenApp
More informationGetting Started. Citrix Secure Gateway. Version 1.0. Citrix Systems, Inc.
Getting Started Citrix Secure Gateway Version 1.0 Citrix Systems, Inc. Copyright and Trademark Notice Information in this document is subject to change without notice. Companies, names, and data used in
More informationPayment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios
Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios Overview Citrix XenApp, XenDesktop and NetScaler are commonly used in the creation of Payment Card Industry (PCI), Data Security
More informationAxway Validation Authority Suite
Axway Validation Authority Suite PKI safeguards for secure applications Around the world, banks, healthcare organizations, governments, and defense agencies rely on public key infrastructures (PKIs) to
More informationVendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10.5 for App and Desktop Solutions. Version: Demo
Vendor: Citrix Exam Code: 1Y0-253 Exam Name: Implementing Citrix NetScaler 10.5 for App and Desktop Solutions Version: Demo QUESTION 1 A Citrix Administrator needs to configure a single virtual server
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationCTX-1259AI Citrix Presentation Server 4.5: Administration
C O U R S E D E S C R I P T I O N CTX-1259AI Citrix Presentation Server 4.5: Administration CTX-1259AI Citrix Presentation Server 4.5: Administration provides the foundation necessary to effectively deploy
More informationReceiver for BlackBerry 2.2
Receiver for BlackBerry 2.2 2015-04-19 05:21:53 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents Receiver for BlackBerry 2.2... 3 About This Release...
More informationNCP Secure Client Juniper Edition (Win32/64) Release Notes
Service Release: 10.10 r31802 Date: September 2016 Prerequisites Operating System Support The following Microsoft Operating Systems are supported with this release: Windows 10 32/64 bit Windows 8.x 32/64
More informationThe SafeNet Security System Version 3 Overview
The SafeNet Security System Version 3 Overview Version 3 Overview Abstract This document provides a description of Information Resource Engineering s SafeNet version 3 products. SafeNet version 3 products
More informationVendor: Citrix. Exam Code: 1Y Exam Name: Designing Citrix XenDesktop 7.6 Solutions. Version: Demo
Vendor: Citrix Exam Code: 1Y0-401 Exam Name: Designing Citrix XenDesktop 7.6 Solutions Version: Demo DEMO QUESTION 1 Which option requires the fewest components to implement a fault-tolerant, load-balanced
More informationRSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.
Cisco Systems Cisco Secure Access Control System RSA SecurID Ready Implementation Guide Partner Information Last Modified: March 27, 2008 Product Information Partner Name Cisco Systems, Inc. Web Site www.cisco.com
More informationRelease Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.
NCP Secure Enterprise Mac Client Service Release 2.05 Rev. 32317 Date: January 2017 Prerequisites Apple OS X Operating System: The following Apple OS X operating system versions are supported with this
More informationData Sheet. NCP Secure Enterprise Linux Client. Next Generation Network Access Technology
Versatile central manageable VPN Client Suite for Linux Central Management and Network Access Control Compatible with VPN gateways (IPsec Standard) Integrated, dynamic personal firewall FIPS Inside Fallback
More informationRelease Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.
NCP Secure Enterprise Mac Client Service Release 2.05 Build 14711 Date: December 2013 Prerequisites Apple OS X Operating System: The following Apple OS X operating system versions are supported with this
More informationData Sheet NCP Exclusive Remote Access Client Windows
Centrally Administrable VPN Client Suite for Windows For Juniper SRX Series Central Management Microsoft Windows 10, 8.x, 7 and Vista Dynamic Personal Firewall VPN Bypass VPN Path Finder Technology (Fallback
More informationSecurity+ SY0-501 Study Guide Table of Contents
Security+ SY0-501 Study Guide Table of Contents Course Introduction Table of Contents About This Course About CompTIA Certifications Module 1 / Threats, Attacks, and Vulnerabilities Module 1 / Unit 1 Indicators
More informationNCP Secure Client Juniper Edition Release Notes
Service Release: 10.11 r32792 Date: November 2016 Prerequisites Operating System Support The following Microsoft Operating Systems are supported with this release: Windows 10 32/64 bit Windows 8.x 32/64
More informationClientless SSL VPN Overview
Introduction to Clientless SSL VPN, page 1 Prerequisites for Clientless SSL VPN, page 2 Guidelines and Limitations for Clientless SSL VPN, page 2 Licensing for Clientless SSL VPN, page 3 Introduction to
More informationThis version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.
NCP Secure Enterprise MAC Client Service Release 2.02 Build 11 Date: August 2011 1. New Feature Compatibility to Mac OS X 10.7 Lion This version of the des Secure Enterprise MAC Client can be used on Mac
More informationTechTalk: Implementing Citrix Receiver from Windows to iphone. Stacy Scott Architect, Worldwide Technical Readiness
TechTalk: Implementing Citrix Receiver from Windows to iphone Stacy Scott Architect, Worldwide Technical Readiness Citrix Receiver Citrix Receiver Overview Citrix Receiver for iphone Citrix Receiver for
More informationHP Instant Support Enterprise Edition (ISEE) Security overview
HP Instant Support Enterprise Edition (ISEE) Security overview Advanced Configuration A.03.50 Mike Brandon Interex 03 / 30, 2004 2003 Hewlett-Packard Development Company, L.P. The information contained
More informationArchitecture 1 3. SecureToken. 32-bit microprocessor smart chip. Support onboard RSA key pair generation. Built-in advanced cryptographic functions
SecureToken Architecture 1 3 2 32-bit microprocessor smart chip Support onboard RSA key pair generation Built-in advanced cryptographic functions 4 5 6 7 8 9 10 Support onboard digital signing Supports
More informationAccess Gateway 9.3, Enterprise Edition
Access Gateway 9.3, Enterprise Edition 2015-05-03 05:23:10 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents Access Gateway 9.3, Enterprise Edition...
More informationNetScaler Gateway 10.5
NetScaler Gateway 10.5 Jun 26, 2014 About This Release Key Features What's New Known Issues Compatibility with Citrix Products System Requirements NetScaler Gateway Plug-in System Requirements Endpoint
More informationDeploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop
Deployment Guide Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop Important: The fully supported version of this iapp has been released, so this guide has been archived. See http://www.f5.com/pdf/deployment-guides/citrix-vdi-iapp-dg.pdf
More informationAlliance Key Manager A Solution Brief for Partners & Integrators
Alliance Key Manager A Solution Brief for Partners & Integrators Key Management Enterprise Encryption Key Management This paper is designed to help technical managers, product managers, and developers
More informationDeploying F5 with Citrix XenApp or XenDesktop
Deploying F5 with Citrix XenApp or XenDesktop Welcome to the F5 deployment guide for Citrix VDI applications, including XenApp and XenDesktop with the BIG-IP system v11.4 and later. This guide shows how
More informationData Sheet. NCP Secure Enterprise VPN Server. Next Generation Network Access Technology
Hybrid IPsec / SSL VPN gateway software Universal platform for remote access to the company network Integrated IP routing and firewall features Integration of iphone, ipad, ios, Andoid, Windows Phone/Mobile
More informationBlackBerry Dynamics Security White Paper. Version 1.6
BlackBerry Dynamics Security White Paper Version 1.6 Page 2 of 36 Overview...4 Components... 4 What's New... 5 Security Features... 6 How Data Is Protected... 6 On-Device Data... 6 In-Transit Data... 7
More informationPCI DSS Compliance. White Paper Parallels Remote Application Server
PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST IT Certification Guaranteed, The Easy Way! \ http://www.pass4test.com We offer free update service for one year Exam : 1Y0-A04 Title : Gateway 8.1.Enterprise Edition: Administration Vendors :
More informationNCP Secure Enterprise macos Client Release Notes
Service Release: 3.10 r40218 Date: July 2018 Prerequisites Apple OS X operating systems: The following Apple macos operating systems are supported with this release: macos High Sierra 10.13 macos Sierra
More informationCMB-207-1I Citrix Desktop Virtualization Fast Track
Page1 CMB-207-1I Citrix Desktop Virtualization Fast Track This fast-paced course covers select content from training courses CXA-206: Citrix XenApp 6.5 Administration and CXD-202: Citrix XenDesktop 5 Administration
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationTeldat Secure IPSec Client - for professional application Teldat IPSec Client
Teldat Secure IPSec Client - for professional application Support of Windows 8, 7, Vista and XP (32-/64-bit) IKEv1, IKEv2, IKE Config Mode, X-Auth, certificates (X.509) Integrated personal firewall Easy
More informationImplementing Citrix XenApp 5.0 for Windows Server 2008
Citrix 1Y0-A05 Implementing Citrix XenApp 5.0 for Windows Server 2008 Version: 5.0 Topic 1, Volume A QUESTION NO: 1 An administrator currently has Secure Gateway and web interface on the same server in
More informationEnterprise Services for NFuse (ESN) February 12, 2002
Enterprise Services for NFuse (ESN) February 12, 2002 What is Enterprise Services for NFuse?... 1 What solution does ESN enable?... 2 What s the difference between NFuse and Enterprise Services for NFuse?...
More informationData Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology
Universal VPN Client Suite for macos/os X Compatible with VPN Gateways (IPsec Standard) macos 10.13, 10.12, OS X 10.11, OS X 10.10 Import of third party configuration files Integrated, dynamic Personal
More informationVendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10 for App and Desktop Solutions. Version: Demo
Vendor: Citrix Exam Code: 1Y0-250 Exam Name: Implementing Citrix NetScaler 10 for App and Desktop Solutions Version: Demo QUESTION NO: 1 Citrix 1Y0-250 Exam A company uses various pre-approved user devices
More informationInstalling and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.
Installing and Configuring VMware Identity Manager Connector 2018.8.1.0 (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.3 You can find the most up-to-date technical documentation on
More informationCitrix Web Interface for Microsoft SharePoint Administrator s Guide. Citrix Access Suite 4.2
Citrix Web Interface for Microsoft SharePoint Administrator s Guide Citrix Web Interface for Microsoft SharePoint Citrix Access Suite 4.2 Use of the product documented in this guide is subject to your
More informationData Sheet. NCP Exclusive Remote Access Mac Client. Next Generation Network Access Technology
Centrally managed VPN Client Suite for macos/os X For Juniper SRX Series Central Management macos 10.13, 10.12, OS X 10.11, OS X 10.10 Dynamic Personal Firewall VPN Path Finder Technology (Fallback IPsec/HTTPS)
More informationEndpoint Protection with DigitalPersona Pro
DigitalPersona Product Brief Endpoint Protection with DigitalPersona Pro An introductory technical overview to DigitalPersona s suite for Access Management, Data Protection and Secure Communication. April
More informationData Sheet. NCP Exclusive Entry Client. Next Generation Network Access Technology
VPN Client Suite for Windows For Juniper SRX Series Microsoft Windows 10, 8.x, 7 Dynamic Personal Firewall Import of third party configuration files VPN Bypass VPN Path Finder Technology (Fallback IPsec/HTTPS)
More informationSecure Government Computing Initiatives & SecureZIP
Secure Government Computing Initiatives & SecureZIP T E C H N I C A L W H I T E P A P E R WP 700.xxxx Table of Contents Introduction FIPS 140 and SecureZIP Ensuring Software is FIPS 140 Compliant FIPS
More informationCourse CXA-206: Citrix XenApp 6.5 Administration
Course CXA-206: Citrix XenApp 6.5 Administration Course Length: 5 days Overview Citrix XenApp 6.5 Administration training course provides the foundation necessary for administrators to effectively centralize
More informationCOMMON CRITERIA CERTIFICATION REPORT
COMMON CRITERIA CERTIFICATION REPORT Ixia NTO 7303 and Vision ONE v4.5.0.29 30 October 2017 383-4-409 1.0 Government of Canada. This document is the property of the Government of Canada. It shall not be
More informationCitrix Workspace app 1808 for ios
Citrix Workspace app 1808 for ios Citrix Product Documentation docs.citrix.com September 7, 2018 Contents What s new in Citrix Workspace app for ios 3 What s new in 1808........................................
More informationReceiver for Mac 11.4
Receiver for Mac 11.4 2014-12-16 14:18:25 UTC 2014 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents Receiver for Mac 11.4... 3 About this Release... 4 System
More informationCitrix Receiver for Universal Windows Platform
Citrix Receiver for Universal Windows Platform Jul 18, 2017 Citrix Receiver for Universal Windows Platform (UWP) is client software available for download from the Microsoft store. It enables users to
More informationCOURSE OUTLINE IT TRAINING
CMB-207-1I Citrix XenApp and XenDesktop Fast Track Duration: 5 days Overview: This fast-paced course covers select content from training courses CXA-206 and CXD- 202 and provides the foundation necessary
More informationVMware AirWatch Cloud Connector Guide ACC Installation and Integration
VMware AirWatch Cloud Connector Guide ACC Installation and Integration Workspace ONE UEM v1810 Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.
More informationDeploying F5 with Citrix XenApp or XenDesktop
Deploying F5 with Citrix XenApp or XenDesktop Welcome to the F5 deployment guide for Citrix VDI applications, including XenApp and XenDesktop with the BIG-IP system v11.4 and later. This guide shows how
More informationReady Theatre Systems RTS POS
Ready Theatre Systems RTS POS PCI PA-DSS Implementation Guide Revision: 2.0 September, 2010 Ready Theatre Systems, LLC - www.rts-solutions.com Table of Contents: Introduction to PCI PA DSS Compliance 2
More informationCXA-204-1I Basic Administration for Citrix XenApp 6
CXA-204-1I Basic Administration for Citrix XenApp 6 Basic Administration for Citrix XenApp 6 training course provides the foundation necessary for administrators to effectively centralize and manage applications
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More informationGoogle Cloud Platform: Customer Responsibility Matrix. April 2017
Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder
More informationCoSign Hardware version 7.0 Firmware version 5.2
CoSign Hardware version 7.0 Firmware version 5.2 FIPS 140-2 Non-Proprietary Security Policy Level 3 Validation July 2010 Copyright 2009 AR This document may be freely reproduced and distributed whole and
More informationData Sheet. NCP Secure Enterprise macos Client. Next Generation Network Access Technology
Universal, centrally managed VPN Client Suite for macos/os X Central Management and Network Access Control Compatible with VPN Gateways (IPsec Standard) Integrated, dynamic Personal Firewall VPN Path Finder
More informationHow to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT
How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT Table of Contents TABLE OF CONTENTS 1 BACKGROUND 2 WINDOWS SERVER CONFIGURATION STEPS 2 CONFIGURING USER AUTHENTICATION 3 ACTIVE DIRECTORY
More informationInterface. Circuit. CryptoMate
A C O S 5 - C T M C r y p t o M a t e U S B T o k e n Version 1.5 03-2007, Email: info@acs.com.hk Website: www.acs.com.hk CryptoMate USB Token 1.0 Introduction Frustrated by network breaches like Trojan
More informationIBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights
IBM Secure Proxy Advanced edge security for your multienterprise data exchanges Highlights Enables trusted businessto-business transactions and data exchange Protects your brand reputation by reducing
More informationVMware Workspace ONE UEM VMware AirWatch Cloud Connector
VMware AirWatch Cloud Connector VMware Workspace ONE UEM 1811 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this
More informationApplication Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )
Application Note Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder ) This document describes how to configure McAfee Firewall Enterprise to provide
More informationIndeed Card Management Smart card lifecycle management system
Indeed Card Management Smart card lifecycle management system Introduction User digital signature, strong authentication and data encryption have become quite common for most of the modern companies. These
More informationCitrix Workspace app for ios
Citrix Product Documentation docs.citrix.com October 22, 2018 Contents What s new in Citrix Workspace app for ios 3 What s new in 1810.1....................................... 3 What s new in 1810........................................
More informationCXA Citrix XenApp 6.5 Administration
1800 ULEARN (853 276) www.ddls.com.au CXA-206-1 Citrix XenApp 6.5 Administration Length 5 days Price $5500.00 (inc GST) Citrix XenApp 6.5 Administration training course provides the foundation necessary
More informationDameware ADMINISTRATOR GUIDE. Version Last Updated: October 18, 2017
ADMINISTRATOR GUIDE Dameware Version 12.0 Last Updated: October 18, 2017 Retrieve the latest version from: https://support.solarwinds.com/success_center/dameware_remote_support_mini_remote_control 2017
More informationDBsign for HTML Applications Version 4.0 Release Notes
DBsign for HTML Applications Version 4.0 Release Notes Copyright 2010 Version 4.0 Copyright Notice: The Release Notes has a copyright of 2000-2010 by Gradkell Computers, Inc. This work contains proprietary
More informationCitrix XenApp 6.5 Administration
Citrix XenApp 6.5 Administration CXA206; 5 Days, Instructor-led Course Description Citrix XenApp 6.5 Administration training course provides the foundation necessary for administrators to effectively centralize
More informationSecurity Digital Certificate Manager
System i Security Digital Certificate Manager Version 6 Release 1 System i Security Digital Certificate Manager Version 6 Release 1 Note Before using this information and the product it supports, be sure
More informationThales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen
Thales e-security Security Solutions PosAm, 06th of May 2015 Robert Rüttgen Hardware Security Modules Hardware vs. Software Key Management & Security Deployment Choices For Cryptography Software-based
More informationCreate and Apply Clientless SSL VPN Policies for Accessing. Connection Profile Attributes for Clientless SSL VPN
Create and Apply Clientless SSL VPN Policies for Accessing Resources, page 1 Connection Profile Attributes for Clientless SSL VPN, page 1 Group Policy and User Attributes for Clientless SSL VPN, page 3
More informationSecurity and Certificates
Encryption, page 1 Voice and Video Encryption, page 6 Federal Information Processing Standards, page 6 Certificate Validation, page 6 Required Certificates for On-Premises Servers, page 7 Certificate Requirements
More informationipad in Business Security Overview
ipad in Business Security Overview ipad can securely access corporate services and protect data on the device. It provides strong encryption for data in transmission, proven authentication methods for
More informationINCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.
INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS Protect Critical Enterprise Applications and Cardholder Information with Enterprise Application Access Scope and Audience This guide is for
More informationPLATO Learning Environment System and Configuration Requirements
PLATO Learning Environment System and Configuration Requirements For Workstations December 13, 2010 1 Content About This Document... 3 Document Change Log... 4 System & Configuration Requirements... 5
More informationAlliance Key Manager A Solution Brief for Technical Implementers
KEY MANAGEMENT Alliance Key Manager A Solution Brief for Technical Implementers Abstract This paper is designed to help technical managers, product managers, and developers understand how Alliance Key
More informationFundamentals of Windows Server 2008 Network and Applications Infrastructure
COURSE OVERVIEW This five-day instructor-led course introduces students to network and applications infrastructure concepts and configurations provided by Window Server 2008. Students will be able to acquire
More informationQuickSpecs. Key Features and Benefits. HP C-Series MDS 9000 Storage Media Encryption (SME) Software. Overview. Retired
Overview MDS 9000 Storage Media Encryption (SME) secures data stored on tape drives and virtual tape libraries (VTLs) in a storage area network (SAN) environment using secure IEEE standard Advanced Encryption
More informationAdministrator s Guide
Administrator s Guide Citrix ICA Win32 Clients Version 7.0 Citrix Systems, Inc. Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A copy
More informationfor Windows 2000 Servers. Application server software for enterprises to compete in the digital economy.
Citrix MetaFrame for Windows 2000 Servers. Application server software for enterprises to compete in the digital economy. Citrix is the world leader in application server software and services that provide
More informationCisco Passguide Exam Questions & Answers
Cisco Passguide 642-648 Exam Questions & Answers Number: 642-648 Passing Score: 800 Time Limit: 120 min File Version: 61.8 http://www.gratisexam.com/ Cisco 642-648 Exam Questions & Answers Exam Name: Deploying
More informationCitrix - CXA XenApp 6.5 Administration
Citrix - CXA-206 - XenApp 6.5 Administration Duration: 5 days Course Price: $4,995 Course Description CXA-206-1 Citrix XenApp 6.5 Basic Administration Training Course Citrix XenApp 6.5 Basic Administration
More informationDigitalPersona Pro Enterprise
DigitalPersona Pro Enterprise Quick Start Guide Version 5 DATA PROTECTION REMOTE ACCESS SECURE COMMUNICATION STRONG AUTHENTICATION ACCESS RECOVERY SINGLE SIGN-ON DigitalPersona Pro Enterprise DigitalPersona
More informationSafeguarding Cardholder Account Data
Safeguarding Cardholder Account Data Attachmate Safeguarding Cardholder Account Data CONTENTS The Twelve PCI Requirements... 1 How Reflection Handles Your Host-Centric Security Issues... 2 The Reflection
More informationCryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea
Cryptography SSL/TLS Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 History Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent
More informationCourse overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)
Overview This course is intended for those wishing to qualify with CompTIA Security+. CompTIA's Security+ Certification is a foundation-level certificate designed for IT administrators with 2 years' experience
More informationVMware AirWatch Certificate Authentication for Cisco IPSec VPN
VMware AirWatch Certificate Authentication for Cisco IPSec VPN For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.
More informationTechnical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems
Technical Overview of in Windows 7 and Windows Server 2008 R2 Microsoft Windows Family of Operating Systems Published: January 2009 This document supports a preliminary release of a software product that
More informationNetExtender for SSL-VPN
NetExtender for SSL-VPN Document Scope This document describes how to plan, design, implement, and manage the NetExtender feature in a SonicWALL SSL-VPN Environment. This document contains the following
More informationConfiguring Secure Socket Layer HTTP
This feature provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity
More informationConfiguring Secure Socket Layer HTTP
This feature provides Secure Socket Layer (SSL) version 3.0 support for the HTTP 1.1 server and HTTP 1.1 client within Cisco IOS software. SSL provides server authentication, encryption, and message integrity
More informationNCP Secure Enterprise Management for Linux Release Notes
Major Release: 4.01 r32851 Date: November 2016 Prerequisites The following x64 operating systems and databases with corresponding ODBC driver have been tested and released: Linux Distribution Database
More information1Y0-371 Q&As. Designing, Deploying and Managing Citrix XenMobile 10 Enterprise Solutions. Pass home 1Y0-371 Exam with 100% Guarantee
1Y0371 Q&As Designing, Deploying and Managing Citrix XenMobile 10 Enterprise Solutions Pass home 1Y0371 Exam with 100% Guarantee Free Download Real Questions & Answers PDF and VCE file from: 100% Passing
More informationPLATO Learning Environment (v2.0) System and Configuration Requirements
PLATO Learning Environment (v2.0) System and Configuration Requirements For Workstations July 30, 2010 Windows XP Home and Professional (SP3) Windows Vista Home/Premium/Business/Ultimate Windows 7 Home/Premium/Business/Ultimate
More informationPROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL
Q&A PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL This document answers questions about Protected Extensible Authentication Protocol. OVERVIEW Q. What is Protected Extensible Authentication Protocol? A.
More informationRSA SecurID Ready Implementation Guide
RSA SecurID Ready Implementation Guide Partner Information Last Modified: February 16, 2006 Product Information Partner Name ipass Inc. Web Site www.ipass.com Product Name ipass Enterprise Connectivity
More information