Konsolidieren und schützen Sie die Zugriffe auf beliebige...
Transcript of Konsolidieren und schützen Sie die Zugriffe auf beliebige...
Peter Leimgruber, SE networking, Citrix
Konsolidieren und schützen Sie die Zugriffe auf beliebige Unternehmensanwendungen mit dem Citrix Unified Gateway
© 2015 Citrix | Confidential
Unified Gateway
© 2015 Citrix | Confidential
Client/Server
SaaS
SG
ADC
SSL VPN mVPN
Distributed App Infrastructure
Public Cloud
Hybrid Cloud On Prem
Currently many customer use NetScaler only for XenApp and XenDesktop
Mobile User
ICA
© 2015 Citrix | Confidential
• Multiple point solutions result in: – Multiple URLs provide limited or poor end
user experience
– Complicated and hard to manage infrastructure
– Multiple islands, limited integration between solutions
– Multiple upgrade cycles that lead to disruption
– Misconfiguration of security and access policies
…but many customers are looking for a Unified Solution for remote access
Mobile User Client/Server
SaaS
SG
ADC ICA
SSL VPN mVPN
Distributed App Infrastructure
Public Cloud
Hybrid Cloud On Prem
NetScaler with Unified Gateway provides One URL and consolidation of remote access infrastructure
© 2015 Citrix | Confidential
Use Case 1: NetScaler with Unified Gateway provides secure and remote access to Web and Enterprise legacy apps
• Provides secure remote access to web and enterprise legacy applications like: – ERP/CR applications – SharePoint applications – Network file share etc.
• Provide AAA-TM monitoring for these applications
• CVPN for Microsoft applications like SharePoint, OWA, Lync
• Support for Windows, MAC, Linux, iOS and Android
• Native and 3rd party Single Sign-On across applications
• Single portal to publish applications
© 2015 Citrix | Confidential
Use Case 2: NetScaler with Unified Gateway provides secure and remote access to Citrix XenApp and XenDesktop
• Provides centralized access control policy management for Citrix XenApp/XenDesktop applications
• Only product to provide complete visibility and monitoring tools for XA/XD traffic
• Only product to provide Adaptive access control policies for XA/XD
• EPA scans of end user devices
• Native and 3rd party single sign-on across applications
• Single portal to publish applications
© 2015 Citrix | Confidential
Use Case 3: NetScaler with Unified Gateway provides secure and remote access to Cloud and SaaS applications
• Provides AAA-TM monitoring for cloud and SaaS applications like – SalesForce – Office 365 – Etc.
• Native and 3rd party single sign-on across applications
• Centralized access control policies
• Single portal to publish all cloud/SaaS applications
© 2015 Citrix | Confidential
Use Case 4: NetScaler provides seamless integration with XenMobile
• Seamless integration with Citrix XenMobile
• Per App VPN (MicroVPN) for XM applications
• EPA scans of end user devices
• Optimization of XM traffic
• Visibility and monitoring tools for XM traffic
• One single portal to publish applications
• Gateway vserver – can be behind CS vserver. – Does not need IP/port. – Single point of configuration for all policies(Authentication/authorization/session)
• Login once – One login for all GW/TM/SaaS apps that are published on gateway portal.
• Logout once – Single logout for all TM web apps/enterprise apps behind Unified Gateway.
Unified Gateway- What’s new in Gateway?
Unified Gateway: Topology
GW
CS
LB
LB
LB
svc
svc
svc
Login Once
Clientless Access
VPN/Tunnel Access
Virtual Apps & Desktops Access & SSO
Auth
Unified Gateway: Topology
GW
CS
LB
LB
LB
svc
svc
svc
Login Once
Clientless Access
VPN Access
Virtual Apps & Desktops Access & SSO
Auth
Unified Gateway: Topology
GW
CS
LB
LB
LB
svc
svc
svc
Login Once
Clientless Access
VPN Access
Virtual Apps & Desktops Access & SSO
Auth
Unified Gateway: Topology
GW
CS
LB
LB
LB
svc
svc
svc
Login Once
Clientless Access
VPN Access
Virtual Apps & Desktops Access & SSO
Auth
Unified Gateway: Quick look at the portal
ENterE
Internet
External SAML SP
HTTP/ SSL Backends (Basic/ Digest/ Form/ NTLM/ Kerberoes)
AUTH Servers XA/ XD/ XM etc., OWA/ SP
CSVserver
GW Vserver
Auth happens
@ GW
HTTPTMLB
SSL TM LB
Auth/GW VServer
HTTP
/ SSL
TM
Bac
kend
s
Content Switching Seamless SSO Backend Traffic
Unified Gateway - Seamless SSO (GW TM)
CS Policy Evaluation
Seamless SSO
Backend SSO
HTTP/ SSL GW Backends
Seamless SSO
Enterprise/On prem
Internet
HTTP/ SSL Backends (Basic/ Digest/ Form/ NTLM/ Kerberoes)
AUTH Servers XA/ XD/ XM etc., OWA/ SP CSVserver
SSL TM LB
GW vserver bound to CS
HTT
P/ S
SL
TM
Bac
kend
s
ContentSwitching Seamless SSO Backend Traffic
Unified Gateway - Seamless SSO (TM GW & TM TM)
CS Policy Evaluation
Seamless SSO
Backend SSO
TM LB1 HTTP/ SSL
GWVserver bound to CS
Auth @ GW
GW vserver Bound to CS
HTTP/ SSL GW Backends
Enterprise/Onprem
Feature License
Unified Gateway
NetScaler Platinum ✔
NetScaler Enterprise ✔
NetScaler Standard ✗
NetScaler Gateway ✗
Unified Gateway – License Requirements
Unified Gateway – Security Concerns
• Seamless SSO is optional for Gateway – ‘-loginOnce’ knob can be turned OFF to disable TM->GW or GW->TM seamless SSO. – Default value is OFF.
• TM need higher level Authentication – Step up authentication for TM can be configured behind Unified Gateway
• SSL properties for Smart card authentication will be taken from CS vserver.
Change ICAProxy into Unified Gateway: OWA Example
ICAProxy to Unified Gateway: OWA Example Step 1: SSLVPN Vserver to internal IP & enable LoginOnce
CLI: set vpn vserver icaproxy.peter.lab -ipAddress 2.2.2.2 -loginOnce on
ICAProxy to Unified Gateway: OWA Example Step 2: Add OWA-LB Vserver and set Authentication to SSLVPN VServer ICAProxy
CLI: add lb vserver LB_OWA HTTP 0.0.0.0 0
CLI: set lb vserver LB_OWA -Authentication ON -authnVsName icaproxy.peter.lab
ICAProxy to Unified Gateway: OWA Example Step 3: Add CS Vserver and CS Policies
CLI: add cs vserver UG_ICAProxy SSL 192.168.178.60 443
CLI: add cs action CS_OWA -targetLBVserver LB_OWA add cs action CS_SSLVPN_ICAProxy -targetVserver icaproxy.peter.lab add cs policy CS_Pol_OWA -rule "HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\”/owa\")" -action CS_OWA add cs policy CS_Pol_ICAProxy -rule true -action CS_SSLVPN_ICAProxy
© 2015 Citrix | Confidential
nFactor for Gateway
nFactor
• Motivation • Flexibility • Extensibility • Conditional authentication • Customized messages/feedback • Recovery
Example 1: Classic model Order of execution: left to right
• Dots represent policies • Like colors represent pairs in
2factor • Transitions represent desired
flow
Task: How do you unravel this formation ?
Example 1: nFactor
Simpler, isn’t it ?
Problems with Legacy Model • All users on a vserver see same number of cascades - you need multiple end-
points
• Login pages cannot show extra fields and elements dynamically - pwcount
• Username and password field names cannot change
• Factors are not adaptive - group extraction cannot be done first
• A maximum of two factors
• Some factors can only happen in primary
• Login pages are static
• Context sensitive help is not dynamic
nFactor for Gateway end Q1/16
Netscaler
TM vserver
CS vserver
Gateway
auth
Existing model
2Factor Cert or OTP: Look ‚n Feel
TM: Alex Maslo
2Factor Cert or OTP: logical flow
TM: Alex Maslo
2Factor Cert or OTP: logical flow
TM: Alex Maslo
TM: Alex Maslo
2Factor Cert or OTP: nFactor flow
© 2015 Citrix | Confidential
NetScaler Deployment Guides
Microsoft applications landscape
NetScaler VPX on Azure for XA/XD
• Active / Stand-by
NetScaler + Exchange 2013 Deployment Guides
• Deployment • Authentication & Optimization • GSLB • ActiveSync with Kerberos
NetScaler + SharePoint 2013 Deployment Guides
• Traffic Management (LB/CS) and Authentication - AppExpert
• Hybrid Deployment • GSLB • Optimization • Cisco ACI Automation
NetScaler + Office 365 Deployment Guide
• Forms Authentication + SAML • Kerberos Authentication + SAML
Remote Desktop Services
• RDP Proxy – Enterprise/Platinum edition license – Uses native RDP client for connection – Single Gateway/Dual Gateway solution – Single Sign-On ability – Security enforcement
• RDS LB – Load balancing of RDP protocol – Native RDP-type vservers on NS – CTX131808
Work better. Live better. Work better. Live better.