Citrix Secure Gateway v 1 1 Technical Presentation

Citrix Secure Gateway v 1. 1 Technical Presentation August 2002

What is Citrix Secure Gateway? Citrix Secure Gateway is a secure Internet gateway between Meta. Frame® servers and ICA Client workstations that allows customers to simply and securely deliver applications across the Internet, on demand, to any device 2 2

Typical Layout Secure Connectivity Authentication 3 Access Mgmt. Internet 3 Citrix NFuse Classic DMZ Firewall Client Workstations Firewall Citrix Secure Gateway Citrix Meta. Frame XP and/or Meta. Frame for Unix Internal Network

CSG traffic flow ICA/SSL 443 ICA Client 4 DMZ CSG Server ICA/1494 Meta. Frame Server Farm . ICA file Web Browser 443 Secure Web Server HTTP/S NFuse XMLHTTP/80 Optional 3 rd Party Authentication 4 Citrix XML Service

CSG for Windows Gateway Service Windows 2000 native Service Runs in DMZ, does not require IIS installed Multi-threaded design (utilizes IO Completion Ports) for high efficiency and throughput. Utilizes Microsoft S-Channel for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. GUI configuration tool. Small benefit from PCI based SSL accelerators 5 5

CSG for Solaris daemon Solaris on SPARC v 8 supported Multithreaded Solaris daemon Includes certificate management tools Embedded Open. SSL for SSL/TLS functions Server certificate required for SSL server authentication Build large CSG arrays for scalability and fault tolerance using industry standard external network load balancer. 6 6

Secure Ticketing Authority Implemented as ISAPI DLL Microsoft IIS WWW Service required Extremely lightly loaded service Redundant STAs can be defined Service should not be reachable from outside DMZ Communicates to CSG and NFuse via XML protocol over HTTP. Port configurable Links to CSG and NFuse can be secured by Windows 2000 Server to Server VPN GUI configuration tool 7 7

CSG Ticketing 8 DMZ ICA Client 3. ICA File Web Browser 4. ICA/SSL 3. ICA File CSG Server Secure Web Server 5. ICA/1494 5. Ticket Verification Secure Ticketing Authority Production Meta. Frame Farm 2. Ticket Generation NFuse 1. Standard NFuse XML 1. Standard ICA Name Resolution 2. Requested CSG ticket on application launch 3. CSG ticket is delivered to ICA client as the part of ICA file. 4. CSG ticket is delivered to CSG server 5. CSG server verifies ticket and opens ICA connection. 8 XML Service

Encryption and Connectivity Secures ICA Traffic only SSL v 3. 0 or TLS v 1. 0 with 128 -bit encryption CSG Service uses single Server Certificate Single CSG IP address is exposed to internet Ease of firewall traversal (uses port 443 only) 9 9

Authentication provided by NFuse Classic Web server; users must first authenticate to an NFuse Classic web server before using CSG. NFuse Classic supports various authentication methods: Microsoft NT Domain and Active Directory – Novell NDS – Smart. Card – Use whatever security mechanisms you wish to protect your web server from unauthorized access (e. g RSA Secur. ID®, Safe. Word™ Premier. Access™) Authentication process is further secured using an HTTPS configured NFuse Web server 10 10

Deployment with Citrix Secure Gateway is highly scalable Build fault tolerant CSG arrays with industry standard load balancers. Multiple redundant STAs can be configured. CSG supports Meta. Frame v 1. 8 and higher. CSG Supports Meta. Frame for UNIX on Sun Solaris, HPUX and IBM AIX. Supported ICA Clients available for all Windows platforms as well as Windows CE, Java, Solaris, Unix, and Macintosh. 11 11

Deployment Issues Citrix v 6. 30 Windows & Java ICA clients can traverse a number of industry standard “secure” proxy servers. CSG to STA and NFuse links do not have native encryption capabilities – use Windows 2000 server to server VPN. No client auto-reconnect. This feature is often not required across the Internet, for security reasons. 12 12

Citrix Security Solutions 13 SSL Solutions Secure. ICA™ SSL Relay Citrix Secure Gateway VPN Solution CSG is a simple and secure, ICA only solution 13

When to use Secure. ICA or SSL Relay 14 Use Secure. ICA when: Internal LAN / WAN / Intranet – Secure DOS or Win 16 access is necessary – Have older devices/ ICA clients that cannot be upgraded – Risk of “man-in-the-middle” attack is acceptable – Use SSL Relay when: Small number of Meta. Frame servers to support (<5) – No need to secure access at DMZ – No need to hide server IP addresses, or NAT is used – Need end-to-end encryption of data between client and server – 14

When to use CSG or VPN Use Citrix Secure Gateway when: – – – Large number of servers to support Want to hide internal network addresses Want to secure from DMZ Need two-factor authentication (in conjunction with NFuse) Need non-intrusive client install i. e. access from Internet cafes Use a Virtual Private Network (VPN) when: – – – 15 Need two-factor authentication Need to create a secure pipeline for full (beyond ICA) network access Need to create secure tunnels between sites Want to secure from within DMZ Access is normally via same workstation i. e. OK to install additional client Want to use IPSEC 15

“Internet Café” Solution Build a complete, Java applet-based solution, which assumes nothing preinstalled on clients. Meta. Frame XPe Citrix NFuse Classic 1. 7 Citrix Secure Gateway Replaceable authentication (e. g. RSA Secure. ID, Safe. Word™ Premier. Access™) Citrix ICA Java Client, running in Applet mode (included with NFuse Classic 1. 7) 16 16

What’s new in CSG v 1. 1 Windows 2000 certification List of IP addresses not to log (e. g. network load balancer) All CSG logging to Windows system log TLS v 1. 0 and SSL v 3. 0 (exclusive) GOV, COM, or ALL crypto selection FIPS 140 -1 certified crypto modules No NFuse Extensions – NFuse Classic v 1. 7 natively supports CSG Solaris platform Edition 17 17

CSG v 1. 1 availability CSG v 1. 1 Windows (English) available on Meta. Frame FR 2 Components CD CSG v 1. 1 Windows (English) is fully internationalized for operation on non. English Windows 2000. CSG v 1. 1 Windows (Japanese) available on Meta. Frame FR 2 (J) Components CD CSG v 1. 1 Solaris available from Citrix Secure Portal for Subscription Advantage Customers 18 18

For More Information… For More Information Contact a local member of the Citrix Solutions Network™ – Connect to Citrix Web site at: www. citrix. com/products/securegateway – 19 19