Client Access – Published applications

Control through TEMPLATE.ICA

• Use SSL• Authentication level

– Remove:• EncRc5-0• EncRc5-40• EncRc5-56

• 80211X, 802.11G, 802.11b, 802.11a– 11 Mbps – 55 Mbps

• Wireless WAN– 40-120 Kbit– Public network– CDPD, 1xRTT, other

• High Speed access– Cable modem – xDSL (ADSL, IDSL, SDSL)

Remote Access

Wireless LAN or WAN • Secure WLAN or WWAN with Secure Gateway

– Internal Firewall• Port filtering at access device• Firewall behind access device (ie. Extended access list)

WLANClient STA MetaFrame

XP FarmWAP

1494

80

80443

ExternalClient

Web Interface

Secure Gateway

443

443

Connections

Packet filtering (port based)• Prevent data from reaching unintended services• Restrict data flow based on destination ports• Control services that respond to requests

– TCP port– UDP port– IP protocol number

1494 (TCP)

443 (TCP)

1604 (UDP)

External1494 (TCP)

443 (TCP)

1604 (UDP)

Internal

Many links to consider….

Internet

Secure Gateway

Logon Agent

AuthorizationService +

STA

3rd Party Auth

MetaFrameSecure Access

Manager

MetaFrameXP Server

Farm

HTTP(S)ICA/Secure ICA

InternalWeb

Servers

InternetExplorerand ICAClient

GatewayClient

Secure GatewayProxy

Web Interface• First things First!• Mandate authentication occurs over SSL• IIS Example: (IISAdmin)

HTTPS

HTTPWeb Interface / Secure Access Manager

• Web server hardening – IIS lockdown tool– Must enable ASP (advanced)

• Remove sample directories from web server• Move webroot from default location

– CTX102001• Enforce password policies

– Expire passwords– Alphanumeric combinations

• Remove IIS Anonymous user account– Create account to replace

• Disable Pass-through authentication

Web Interface / Secure Access Manager

• Disable unused services• Remove unnecessary components • Apply latest service packs

– Free tool: HFNETCHK to review installed Hotfixes• Disable default admin shares (C$, Admin$, etc.)• Unbind NetBIOS from all adapters

– Disable NetBIOS over TCP/IP• Use Port Filtering!

– 80 or 443 for the STA– 443 for Secure Gateway/Web Interface or Logon Agent– 1494, 80 and/or 443 for MetaFrame XP Presentation servers– Use extended access lists where possible

Web Interface / Secure Access Manager

Secure Gateway

SSL/TLS Support

• SSL V3.0 and TLS V1.0 secure protocols supported

• SSL-Secured connections may now include:– Client browser to Web Interface server– Web Interface to MetaFrame XML Service– Web Interface to Secure Ticket Authority– Secure Gateway to Secure Gateway Proxy– Secure Gateway to Authentication Service– Secure Gateway to Secure Ticket Authority – Secure Gateway to Logon Agent– Logon Agent to Authentication Service

Web Interface

Issued to Internet FQDN, not necessarily the server name*

Dates are valid

Corresponding private key

SSL Certificate

Certificate Placement

Server Certificate

Root Certificate Server Certificate

Internet

Secure GatewayService

AuthenticationService +

STA

Optional 3rd Party Auth

MetaFrameSecure Access

Manager

MetaFrameXP Presentation Server

Farm

HTTP(S)ICA

InternalWeb

Servers

InternetExplorerand ICAClient

GatewayClient

Logon Agent

WebInterface

Single DMZ

Internet

Secure Gateway

Logon Agent

AuthenticationService + STA

3rd Party Auth

MetaFrameSecure Access

Manager

MetaFrameXP Server

Farm

InternalWeb

Servers

InternetExplorerand ICAClient

GatewayClient

Secure GatewayProxy

DMZ 2DMZ 1

WebInterface

HTTP(S)ICA

Dual Stage DMZ

MMC Management Tools

MMC Management Tools Continued….• Secure access to all of your content

– Files– Internal web content– Published applications

• Management console– Log connections– Real time counters

MMC Management Tools Continued….

• Real time…– User name– Domain– Server connected– Bytes transferred– Connection time– Connection date

MMC Management Tools Continued….

Permon Statistics• Total failed….

– Ticket validations– Validations– Connections– ACL rejected

…and more…

Securing connections continued….• Best Practices for Securing a Secure

Gateway Deployment– CTX19376