Konsolidieren und schützen Sie die Zugriffe auf beliebige Unternehmensanwendungen mit dem Citrix Unified Gateway Peter Leimgruber, SE networking, Citrix
Unified Gateway 2015 Citrix Confidential
Currently many customer use NetScaler only for XenApp and XenDesktop SaaS SG ADC ICA SSL VPN mvpn Mobile User Client/Server Public Cloud On Prem Hybrid Cloud Distributed App Infrastructure 2015 Citrix Confidential
but many customers are looking for a Unified Solution for remote access Client/Server ADC SaaS SG Mobile User ICA Multiple point solutions result in: Multiple URLs provide limited or poor end user experience Complicated and hard to manage infrastructure NetScaler with Unified Gateway provides One URL and consolidation of remote access infrastructure Public Cloud SSL VPN On Prem mvpn Distributed App Infrastructure Hybrid Cloud Multiple islands, limited integration between solutions Multiple upgrade cycles that lead to disruption Misconfiguration of security and access policies 2015 Citrix Confidential
Use Case 1: NetScaler with Unified Gateway provides secure and remote access to Web and Enterprise legacy apps Provides secure remote access to web and enterprise legacy applications like: ERP/CR applications SharePoint applications Network file share etc. Provide AAA-TM monitoring for these applications CVPN for Microsoft applications like SharePoint, OWA, Lync Support for Windows, MAC, Linux, ios and Android Native and 3 rd party Single Sign-On across applications Single portal to publish applications 2015 Citrix Confidential
Use Case 2: NetScaler with Unified Gateway provides secure and remote access to Citrix XenApp and XenDesktop Provides centralized access control policy management for Citrix XenApp/XenDesktop applications Only product to provide complete visibility and monitoring tools for XA/XD traffic Only product to provide Adaptive access control policies for XA/XD EPA scans of end user devices Native and 3 rd party single sign-on across applications Single portal to publish applications 2015 Citrix Confidential
Use Case 3: NetScaler with Unified Gateway provides secure and remote access to Cloud and SaaS applications Provides AAA-TM monitoring for cloud and SaaS applications like SalesForce Office 365 Etc. Native and 3 rd party single sign-on across applications Centralized access control policies Single portal to publish all cloud/saas applications 2015 Citrix Confidential
Use Case 4: NetScaler provides seamless integration with XenMobile Seamless integration with Citrix XenMobile Per App VPN (MicroVPN) for XM applications EPA scans of end user devices Optimization of XM traffic Visibility and monitoring tools for XM traffic One single portal to publish applications 2015 Citrix Confidential
Unified Gateway- What s new in Gateway? Gateway vserver can be behind CS vserver. Does not need IP/port. Single point of configuration for all policies(authentication/authorization/session) Login once One login for all GW/TM/SaaS apps that are published on gateway portal. Logout once Single logout for all TM web apps/enterprise apps behind Unified Gateway.
Unified Gateway: Topology Login Once LB svc CS LB LB svc svc Clientless Access Auth GW Access & SSO Virtual Apps & Desktops VPN/Tunnel Access
Unified Gateway: Topology Login Once LB svc CS LB LB svc svc Clientless Access Auth GW Access & SSO Virtual Apps & Desktops VPN Access
Unified Gateway: Topology Login Once LB svc CS LB LB svc svc Clientless Access Auth GW Access & SSO Virtual Apps & Desktops VPN Access
Unified Gateway: Topology Login Once LB svc CS LB LB svc svc Clientless Access Auth GW Access & SSO Virtual Apps & Desktops VPN Access
Unified Gateway: Quick look at the portal
Unified Gateway - Seamless SSO (GW TM) External SAML SP Internet CSVserver CS Policy Evaluation Seamless SSO GW Vserver Auth happens @ GW HTTPTMLB Seamless SSO HTTP/ SSL GW Backends Backend SSO AUTH Servers XA/ XD/ XM etc., OWA/ SP ENterE Auth/GW VServer HTTP/ SSL TM Backends HTTP/ SSL Backends (Basic/ Digest/ Form/ NTLM/ Kerberoes) SSL TM LB Enterprise/On prem Content Switching Seamless SSO Backend Traffic
Unified Gateway - Seamless SSO (TM GW & TM TM) Internet CSVserver CS Policy Evaluation Seamless SSO TM LB1 HTTP/ SSL Auth @ GW SSL TM LB GWVserver bound to CS HTTP/ SSL TM Backends AUTH Servers XA/ XD/ XM etc., OWA/ SP Backend SSO GW vserver Bound to CS GW vserver bound to CS HTTP/ SSL GW Backends HTTP/ SSL Backends (Basic/ Digest/ Form/ NTLM/ Kerberoes) ContentSwitching Seamless SSO Backend Traffic Enterprise/Onprem
Unified Gateway License Requirements Feature License NetScaler Platinum Unified Gateway NetScaler Enterprise NetScaler Standard NetScaler Gateway
Unified Gateway Security Concerns Seamless SSO is optional for Gateway -loginonce knob can be turned OFF to disable TM->GW or GW->TM seamless SSO. Default value is OFF. TM need higher level Authentication Step up authentication for TM can be configured behind Unified Gateway SSL properties for Smart card authentication will be taken from CS vserver.
Change ICAProxy into Unified Gateway: OWA Example
ICAProxy to Unified Gateway: OWA Example Step 1: SSLVPN Vserver to internal IP & enable LoginOnce CLI: set vpn vserver icaproxy.peter.lab -ipaddress 2.2.2.2 -loginonce on
ICAProxy to Unified Gateway: OWA Example Step 2: Add OWA-LB Vserver and set Authentication to SSLVPN VServer ICAProxy CLI: add lb vserver LB_OWA HTTP 0.0.0.0 0 CLI: set lb vserver LB_OWA -Authentication ON -authnvsname icaproxy.peter.lab
ICAProxy to Unified Gateway: OWA Example Step 3: Add CS Vserver and CS Policies CLI: add cs vserver UG_ICAProxy SSL 192.168.178.60 443 CLI: add cs action CS_OWA -targetlbvserver LB_OWA add cs action CS_SSLVPN_ICAProxy -targetvserver icaproxy.peter.lab add cs policy CS_Pol_OWA -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\ /owa\")" - action CS_OWA add cs policy CS_Pol_ICAProxy -rule true -action CS_SSLVPN_ICAProxy
nfactor for Gateway 2015 Citrix Confidential
nfactor Motivation Flexibility Extensibility Conditional authentication Customized messages/feedback Recovery
Example 1: Classic model Order of execution: left to right Dots represent policies Like colors represent pairs in 2factor Transitions represent desired flow Task: How do you unravel this formation?
Example 1: nfactor Simpler, isn t it?
Problems with Legacy Model All users on a vserver see same number of cascades - you need multiple endpoints Login pages cannot show extra fields and elements dynamically - pwcount Username and password field names cannot change Factors are not adaptive - group extraction cannot be done first A maximum of two factors Some factors can only happen in primary Login pages are static Context sensitive help is not dynamic
nfactor for Gateway end Q1/16 CS vserver Netscaler Existing model TM vserver auth Gateway
2Factor Cert or OTP: Look n Feel TM: Alex Maslo
2Factor Cert or OTP: logical flow TM: Alex Maslo
2Factor Cert or OTP: logical flow TM: Alex Maslo
2Factor Cert or OTP: nfactor flow TM: Alex Maslo
NetScaler Deployment Guides 2015 Citrix Confidential
Microsoft applications landscape
NetScaler VPX on Azure for XA/XD Active / Stand-by
NetScaler + Exchange 2013 Deployment Guides Deployment Authentication & Optimization GSLB ActiveSync with Kerberos
NetScaler + SharePoint 2013 Deployment Guides Traffic Management (LB/CS) and Authentication - AppExpert Hybrid Deployment GSLB Optimization Cisco ACI Automation
NetScaler + Office 365 Deployment Guide Forms Authentication + SAML Kerberos Authentication + SAML
Remote Desktop Services RDP Proxy Enterprise/Platinum edition license Uses native RDP client for connection Single Gateway/Dual Gateway solution Single Sign-On ability Security enforcement RDS LB Load balancing of RDP protocol Native RDP-type vservers on NS CTX131808
Work better. Live better.