Peter Leimgruber, SE networking, Citrix
Konsolidieren und schützen Sie die Zugriffe auf beliebige Unternehmensanwendungen mit dem Citrix Unified Gateway
© 2015 Citrix | Confidential
Unified Gateway
© 2015 Citrix | Confidential
Client/Server
SaaS
SG
ADC
SSL VPN mVPN
Distributed App Infrastructure
Public Cloud
Hybrid Cloud On Prem
Currently many customer use NetScaler only for XenApp and XenDesktop
Mobile User
ICA
© 2015 Citrix | Confidential
• Multiple point solutions result in: – Multiple URLs provide limited or poor end
user experience
– Complicated and hard to manage infrastructure
– Multiple islands, limited integration between solutions
– Multiple upgrade cycles that lead to disruption
– Misconfiguration of security and access policies
…but many customers are looking for a Unified Solution for remote access
Mobile User Client/Server
SaaS
SG
ADC ICA
SSL VPN mVPN
Distributed App Infrastructure
Public Cloud
Hybrid Cloud On Prem
NetScaler with Unified Gateway provides One URL and consolidation of remote access infrastructure
© 2015 Citrix | Confidential
Use Case 1: NetScaler with Unified Gateway provides secure and remote access to Web and Enterprise legacy apps
• Provides secure remote access to web and enterprise legacy applications like: – ERP/CR applications – SharePoint applications – Network file share etc.
• Provide AAA-TM monitoring for these applications
• CVPN for Microsoft applications like SharePoint, OWA, Lync
• Support for Windows, MAC, Linux, iOS and Android
• Native and 3rd party Single Sign-On across applications
• Single portal to publish applications
© 2015 Citrix | Confidential
Use Case 2: NetScaler with Unified Gateway provides secure and remote access to Citrix XenApp and XenDesktop
• Provides centralized access control policy management for Citrix XenApp/XenDesktop applications
• Only product to provide complete visibility and monitoring tools for XA/XD traffic
• Only product to provide Adaptive access control policies for XA/XD
• EPA scans of end user devices
• Native and 3rd party single sign-on across applications
• Single portal to publish applications
© 2015 Citrix | Confidential
Use Case 3: NetScaler with Unified Gateway provides secure and remote access to Cloud and SaaS applications
• Provides AAA-TM monitoring for cloud and SaaS applications like – SalesForce – Office 365 – Etc.
• Native and 3rd party single sign-on across applications
• Centralized access control policies
• Single portal to publish all cloud/SaaS applications
© 2015 Citrix | Confidential
Use Case 4: NetScaler provides seamless integration with XenMobile
• Seamless integration with Citrix XenMobile
• Per App VPN (MicroVPN) for XM applications
• EPA scans of end user devices
• Optimization of XM traffic
• Visibility and monitoring tools for XM traffic
• One single portal to publish applications
• Gateway vserver – can be behind CS vserver. – Does not need IP/port. – Single point of configuration for all policies(Authentication/authorization/session)
• Login once – One login for all GW/TM/SaaS apps that are published on gateway portal.
• Logout once – Single logout for all TM web apps/enterprise apps behind Unified Gateway.
Unified Gateway- What’s new in Gateway?
Unified Gateway: Topology
GW
CS
LB
LB
LB
svc
svc
svc
Login Once
Clientless Access
VPN/Tunnel Access
Virtual Apps & Desktops Access & SSO
Auth
Unified Gateway: Topology
GW
CS
LB
LB
LB
svc
svc
svc
Login Once
Clientless Access
VPN Access
Virtual Apps & Desktops Access & SSO
Auth
Unified Gateway: Topology
GW
CS
LB
LB
LB
svc
svc
svc
Login Once
Clientless Access
VPN Access
Virtual Apps & Desktops Access & SSO
Auth
Unified Gateway: Topology
GW
CS
LB
LB
LB
svc
svc
svc
Login Once
Clientless Access
VPN Access
Virtual Apps & Desktops Access & SSO
Auth
Unified Gateway: Quick look at the portal
ENterE
Internet
External SAML SP
HTTP/ SSL Backends (Basic/ Digest/ Form/ NTLM/ Kerberoes)
AUTH Servers XA/ XD/ XM etc., OWA/ SP
CSVserver
GW Vserver
Auth happens
@ GW
HTTPTMLB
SSL TM LB
Auth/GW VServer
HTTP
/ SSL
TM
Bac
kend
s
Content Switching Seamless SSO Backend Traffic
Unified Gateway - Seamless SSO (GW TM)
CS Policy Evaluation
Seamless SSO
Backend SSO
HTTP/ SSL GW Backends
Seamless SSO
Enterprise/On prem
Internet
HTTP/ SSL Backends (Basic/ Digest/ Form/ NTLM/ Kerberoes)
AUTH Servers XA/ XD/ XM etc., OWA/ SP CSVserver
SSL TM LB
GW vserver bound to CS
HTT
P/ S
SL
TM
Bac
kend
s
ContentSwitching Seamless SSO Backend Traffic
Unified Gateway - Seamless SSO (TM GW & TM TM)
CS Policy Evaluation
Seamless SSO
Backend SSO
TM LB1 HTTP/ SSL
GWVserver bound to CS
Auth @ GW
GW vserver Bound to CS
HTTP/ SSL GW Backends
Enterprise/Onprem
Feature License
Unified Gateway
NetScaler Platinum ✔
NetScaler Enterprise ✔
NetScaler Standard ✗
NetScaler Gateway ✗
Unified Gateway – License Requirements
Unified Gateway – Security Concerns
• Seamless SSO is optional for Gateway – ‘-loginOnce’ knob can be turned OFF to disable TM->GW or GW->TM seamless SSO. – Default value is OFF.
• TM need higher level Authentication – Step up authentication for TM can be configured behind Unified Gateway
• SSL properties for Smart card authentication will be taken from CS vserver.
Change ICAProxy into Unified Gateway: OWA Example
ICAProxy to Unified Gateway: OWA Example Step 1: SSLVPN Vserver to internal IP & enable LoginOnce
CLI: set vpn vserver icaproxy.peter.lab -ipAddress 2.2.2.2 -loginOnce on
ICAProxy to Unified Gateway: OWA Example Step 2: Add OWA-LB Vserver and set Authentication to SSLVPN VServer ICAProxy
CLI: add lb vserver LB_OWA HTTP 0.0.0.0 0
CLI: set lb vserver LB_OWA -Authentication ON -authnVsName icaproxy.peter.lab
ICAProxy to Unified Gateway: OWA Example Step 3: Add CS Vserver and CS Policies
CLI: add cs vserver UG_ICAProxy SSL 192.168.178.60 443
CLI: add cs action CS_OWA -targetLBVserver LB_OWA add cs action CS_SSLVPN_ICAProxy -targetVserver icaproxy.peter.lab add cs policy CS_Pol_OWA -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\”/owa\")" -action CS_OWA add cs policy CS_Pol_ICAProxy -rule true -action CS_SSLVPN_ICAProxy
© 2015 Citrix | Confidential
nFactor for Gateway
nFactor
• Motivation • Flexibility • Extensibility • Conditional authentication • Customized messages/feedback • Recovery
Example 1: Classic model Order of execution: left to right
• Dots represent policies • Like colors represent pairs in
2factor • Transitions represent desired
flow
Task: How do you unravel this formation ?
Example 1: nFactor
Simpler, isn’t it ?
Problems with Legacy Model • All users on a vserver see same number of cascades - you need multiple end-
points
• Login pages cannot show extra fields and elements dynamically - pwcount
• Username and password field names cannot change
• Factors are not adaptive - group extraction cannot be done first
• A maximum of two factors
• Some factors can only happen in primary
• Login pages are static
• Context sensitive help is not dynamic
nFactor for Gateway end Q1/16
Netscaler
TM vserver
CS vserver
Gateway
auth
Existing model
2Factor Cert or OTP: Look ‚n Feel
TM: Alex Maslo
2Factor Cert or OTP: logical flow
TM: Alex Maslo
2Factor Cert or OTP: logical flow
TM: Alex Maslo
TM: Alex Maslo
2Factor Cert or OTP: nFactor flow
© 2015 Citrix | Confidential
NetScaler Deployment Guides
Microsoft applications landscape
NetScaler VPX on Azure for XA/XD
• Active / Stand-by
NetScaler + Exchange 2013 Deployment Guides
• Deployment • Authentication & Optimization • GSLB • ActiveSync with Kerberos
NetScaler + SharePoint 2013 Deployment Guides
• Traffic Management (LB/CS) and Authentication - AppExpert
• Hybrid Deployment • GSLB • Optimization • Cisco ACI Automation
NetScaler + Office 365 Deployment Guide
• Forms Authentication + SAML • Kerberos Authentication + SAML
Remote Desktop Services
• RDP Proxy – Enterprise/Platinum edition license – Uses native RDP client for connection – Single Gateway/Dual Gateway solution – Single Sign-On ability – Security enforcement
• RDS LB – Load balancing of RDP protocol – Native RDP-type vservers on NS – CTX131808
Work better. Live better. Work better. Live better.
Top Related