Die Präsentation wird geladen. Bitte warten

Die Präsentation wird geladen. Bitte warten

Überblick, Positionierung & neue Funktionen

Ähnliche Präsentationen


Präsentation zum Thema: "Überblick, Positionierung & neue Funktionen"—  Präsentation transkript:

1 Überblick, Positionierung & neue Funktionen
Citrix Access Gateway 8.1 Überblick, Positionierung & neue Funktionen In this presentation, I’m going to describe the technical details for Access Gateway with a focus on Enterprise edition and the 8.1 release. This slide deck should be presented to customers to cover the technical aspects of the Access Gateway 8.1 product line. 1

2 Warum Citrix Access Gateway SSL VPN?
Die Globalisierung hat das heutige Geschäftsleben extrem beschleunigt Firmen müssen mehr Arten von Benutzern unterstützen, ohne dass alles komplizierter wird Auf Anwendungen muss nun von überall her, sicher und kontrolliert zugegriffen werden können The core problem that the Access Gateway solves is providing anywhere access to applications and data. This need is being driven by many business pressures, such as globalization – we are now having to support many different types of users, such as remote workers, tele-workers, day extenders, business partners, contractors etc. All of these users need access to their applications and data, with control... Die Citrix Vision: Eine Welt, in der jeder von überall aus arbeiten kann

3 Access Gateway in einer Infrastruktur für die Anwendungsbereitstellung
Workflow Studio XenDesktop XenApp XenServer NetScaler Desktop und App Receiver Branch Repeater Access Gateway Citrix has a singular focus on delivering any application to any user over any network. This presents a big challenge as there is a diverse set of applications such as desktop, client server and web based, a diverse set of users and locations – such as branch offices, remote, home office, outsourced and a diverse set of access devices. Directly in front of Web apps where 90% of new app development is happening today. Directly in front of Windows apps where 90% of existing line-of business apps are deployed today. Directly in front of Windows desktops deployed in the datacenter for delivery over the network. At the gateway through which users gain secure access to all of their applications. At the front door of the branch office where 55% of enterprise employees access their apps. Directly on the end point with full visibility into the end user experience. Users Apps

4 Einfacher Einsatz und Verteilung
Access Gateway ist Die führende SSL VPN Lösung, die Anwendern einfachen, sicheren Zugang zu allen Anwendungen und Daten über policy-basierte Zugangskontrolle ermöglicht. Einfacher Einsatz und Verteilung SmartAccess Höchste Performance und Skalierbarkeit The key message for Access Gateway is the delivery of Secure Application Access. Regardless of the type of application and how it is implemented within the datacenter, Access Gateway provides a secure single point of access that makes it easy for users to gain access to applications and data and easy for administrators to deploy the necessary security to protect sensitive data. Granular application-level policies can be set using SmartAccess technology and Access Gateway provides the highest levels of performance and scalability in the industry – our enterprise-class appliances can support up to 10,000 users, which is approximately 4 times any competitive device.

5 Sicherer Zugriff auf alle Anwendungen und Daten – von überall
Firmen- Notebooks Web Apps Access Gateway User Apps Partner Workstations Windows Apps Internet DMZ Heim Computer Access Gateway sits in the DMZ and delivers all applications, protocols and data to a wide range of different devices and user types, including IP Telephony. Desktops & Desktop Apps Mobile Endgeräte

6 Auszeichnungen & Einschätzungen von Analysten
Schnelles Wachstum Gewinn wichtiger Auszeichnungen Praxisbewährt Note: SC Magazine 2008 Award – For the “Best IPsec/SSL VPN” solution Access Gateway has grown rapidly at Citrix since its introduction in We started with 0 market share and in just 2 years grew to #2 in the SSL VPN marketplace. Why has Citrix achieved so much success in the SSL VPN market in such a short period of time? Citrix is completely focused on APPLICATIONS, and when we talk about access control we mean at the Application level. This represents a strategic business problem and is the level at which our customers want and need to focus their efforts. Our competitors come from the network space, and when they talk about access control they mean IP addresses and ports. Their products resolve a tactical point solution for commodity-level network access. Citrix’s intense focus on solving the core business issue of application access instead of basic network access, along with our resounding success in the marketplace, has earned Citrix Access Gateway top honors and awards from numerous sources such as SC Magazine and Frost & Sullivan.

7 Analysten-Bewertungen – Citrix im "Leaders Quadrant"
Source: Forrester Research Quelle: Forrester (December 2006) In addition to rapid market growth and industry awards, in just 2 years of participation within the SSL VPN market space Citrix achieved recognition by the top 2 analyst firms as leaders in the industry. Gartner’s Magic Quadrant from December, 2007 and the Forrester Wave from December, 2006 (for which the next version will be released in mid-2008) both illustrate Citrix as a leader in SSL VPN. We fully expect continued recognition as leaders due to our intense focus on the core business issue, application delivery, as opposed to the tactical focus of basic network access – the positioning of most of our competitors. Quelle: Gartner (November 2007)

8 Überblick über die Produktlinie
Presentation Title Goes Here Presentation Title Goes Here Citrix NetScaler Corporate Intro Presentation Insert Version Number Here August 2005 Insert Version Number Here Überblick über die Produktlinie Enterprise Edition Beste Skalierbarkeit, höchste Performance, zentrales Management & Hochverfügbarkeits-Option Advanced Edition Bietet innovative SmartAccess-Funktionalität für eine flexible, granulare Zugriffskontrolle Note that in 2008 the position for Advanced edition has changed to the mid-market, up to 500 users. Citrix Access Gateway Standard Edition ist die kosteneffiziente, leicht zu implementierende und einfach zu administrierende Lösung für kleinere und mittlere Umgebungen. Der zeitaufwändige Rollout des VPN-Clients auf die einzelnen Endgeräte entfällt, da die Client-Komponente bei Verbindungsaufnahme mit dem Access Gateway automatisch heruntergeladen und bei Bedarf aktualisiert werden kann. • Citrix Access Gateway Advanced Edition bietet darüber hinaus die innovative SmartAccess- Funktionalität für eine flexible, granulare Zugriffskontrolle. So können Benutzern abhängig davon, von welchem Ort sie gerade auf Informationen zugreifen oder welches Endgerät sie nutzen, unterschiedliche Rechte an den für sie jeweils freigegebenen Ressourcen eingeräumt werden. Die Advanced Edition unterstützt zudem einen browserbasierten, „clientlosen“ und sicheren Zugriff auf s und Dateien auch für PDAs, Smartphones und Kiosk-Systeme. • Citrix Access Gateway Enterprise Edition ist durch beste Skalierbarkeit, zentrales Management, Hochverfügbarkeits-Option und integrierte Funktionen für Anwendungsbeschleunigung und -optimierung die ideale Lösung für große, komplexe Unternehmensumgebungen. Access Gateway Enterprise Edition enthält überdies eine komplett integrierte SmartAccess- Komponente, die ohne einen weiteren externen Server die Bereitstellung einer granularen Zugriffskontrolle möglich macht. Standard Edition Kosteneffiziente, leicht zu implementierende und zu administrierende Lösung für kleinere und mittlere Umgebungen © 2004 Citrix Systems, Inc.—All rights reserved. © 2003 Citrix Systems, Inc.—All rights reserved. © 2003 Citrix Systems, Inc.—All rights reserved. 8 8 8

9 Verfügbare Appliances
7000, 9000, 9000 FIPS, Serie Enterprise Edition Advanced Edition + Advanced Access Control Option 2000 Serie AAC Server Use this slide to explain the appliance options. On standard edition we have the model 2000 Advanced edition is the model a separate AAC server (runs on MS Windows Server) Enterprise Edition runs on the 7000 and higher model appliances. Note that although these appliances are shared with the NetScaler product line, Access Gateway is a separate product line, and these appliances are priced differently to NetScaler appliances. Standard Edition 2000 Serie Access Gateway Standard Edition 9

10 Lizensierung (CCUs) Universal User License Universal User License
Enterprise Edition Universal User License Advanced Edition Universal User License Use this slide to explain the appliance options. On standard edition we have the model 2000 Advanced edition is the model a separate AAC server (runs on MS Windows Server) Enterprise Edition runs on the 7000 and higher model appliances. Note that although these appliances are shared with the NetScaler product line, Access Gateway is a separate product line, and these appliances are priced differently to NetScaler appliances. Advanced Access Control Option Universal User License oder Standard License Standard Edition 10

11 Key Features & Eigenschaften
Enterprise Edition Advanced Edition Standard Edition Eigenschaften Desktop-ähnlicher Zugriff Endpunkt-Analyse Zweifaktor-Authentifizierung Support für Presentation Server Integriertes Secure Gateway SmartAccess Detaillierter Audit Trail High Availability Delegierte Administration Smartcard Authentifizierung Schnelle Response Time Multiple Virtuelle SSL VPNs Verfügbar als NetScaler Option The key aim of this slide is to show that Enterprise Edition is the premier offering and has many more capabilities.

12 AG-EE Vorteile vs. AG-AE
2008 Plan Summary Access Gateway 4.5, Advanced Edition Access Gateway 8.1 Enterprise Edition High availability Client-side cache clean-up Server-initiated connections Client certificate (smart card) authentication FIPS compliance ICSA certification Virtualized SSL VPN Delegated administration AppCompress technology 2-hour webinar + field guide

13 AG-EE Gemeinsamkeiten mit AG-AE
2008 Plan Summary Access Gateway 4.5 Advanced Edition Access Gateway 8.1, Enterprise Edition VPN tunneling of IP-based application protocols SmartAccess for CPS Secure Gateway replacement Supports Access Gateway Universal license End-point analysis support Two-factor authentication support Centralized management Failover support VPN client integration with Windows GINA Detailed audit trail 2-hour webinar + field guide

14 AG-EE Gemeinsamkeiten mit AG-AE
2008 Plan Summary Access Gateway 4.5 Advanced Edition Access Gateway 8.1 Enterprise Edition VPN client integration with Windows GINA Detailed audit trail Clientless access (URL rewrite) Access scenario fallback File-type association 2-hour webinar + field guide

15 Verbleibende Funktionsunterschiede
Access Gateway 4.5 Advanced Edition Access Gateway 8.1 Enterprise Edition Non-admin install of VPN client Multi-lingual Support Customized Logon Pages HTML Preview LiveEdit

16 Technischer Überblick
16

17 Access Gateway – Basisfunktionen
AAA a Policy Driven Access Full Application Support Ease of Use Security Basics - All vendors meet the 5 SSL VPN Requirements – Access Gateway (introductory slide) AAA (Authentication, Authorization and Auditing) Policy driven Access Full Application Support (Supports all Protocols, and applications) Ease of use (both on the Admin and client side) Security (Supports SSL/TLS)

18 Access Gateway – Funktionen
Most SSL VPN’s/Access Gateway predominantly – divided into the following (With Differentiators making the biggest impact for Access Gateway) Differentiators: XenApp Integration (SmartAccess for published applications and SG replacement) XenDesktop (SmartAccess for Desktops) NetScaler (LB, GSLB and Application Firewall) Features: AAA Clients EPA User Experience Administration Scalability HA (Others) Unterscheidungen

19 Presentation Title Goes Here
Insert Version Number Here Authentifizierung Active Directory LDAP NTLM RADIUS TACACS+ One-time Passwort Tokens Client Zertifikate & Smart Cards Local store Unterstützt die gängigsten Authentifizierungs-Mechanismen Zweifaktor- Authentifizierung Kaskadierte Authentifizierung TACACS: Terminal Access Controller Access-Control System (TACACS) is a remote authentication protocol that is used to communicate with an authentication server commonly used in UNIX networks. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network. Supports: Dual Source and Cascading Authentication. Also supports Dual Cascading Authentication SmartCard support – through Client Certificates © 2003 Citrix Systems, Inc.—All rights reserved.

20 Presentation Title Goes Here
Insert Version Number Here Autorisierung Policy-gesteuerter Zugriff Authentifizierung Autorisierung Session Kontrolle Auditierung Vielzahl von Policy-Kriterien Netzwerk Informationen Applikations Zugriff Client Zertifikats Parameter Client Konfigurationen Granulare Zugriffskontrolle Benutzer, Gruppen, virtuelle IP und Global Policies HTTP Autorisierung basierend auf der URL TCP/IP Autorisierung basierend auf Adresse and Port Different Policies dictate and control access to resources (Networks, Servers, Applications, XA, XD) Ability to create complex expressions based on different qualifiers and criteria. (Details: List of expressions provided in the Admin Guide). Authorization Policies are bound at the Group or User level Use cases: File Transfer Authorization Access list for internal connections Web site and web application restrictions © 2003 Citrix Systems, Inc.—All rights reserved.

21 Auditierung Vollständige Administrations Protokollle
Alle Management Aktionen werden ge-logged Vollständige Benutzer-Aktivitäten Protokolle Alle Aktivitäten in Sessions Gesamter Netzwerkverkehr Vollständiges Logging der System Events Support für Externe Logging Server Logging and Auditing Capabilities: Syslog Nslog Ability to log the following: Login information Logout information Access failures TCP statistics UDP statistics Http information System events (device up/down)

22 Clients Zwei Arten des Client Zugriffs:
Secure Access Client – Native installierte Applikation, die im System Tray resident bleibt Plugin – ActiveX oder Java Control – wird dynamisch über HTML runtergeladen und ausgeführt Verbindung ausschließlich zu XenApp Anwendungen Verbindung zu jeder IP-basierten Anwendung Alle XenApp Clients v6.3 oder neuer: Windows NT/2000/XP Windows Vista MacOS 9 & 10 Linux & Java Windows CE UNIX Secure Access Plattformen: Windows Vista/2000/XP Java (von Mac & Linux genutzt) PocketPC Describe the 3 types Clients Full Secure Access Client Plugin (ActiveX and Java based) Full Client – All functionality/Protocols work ActiveX – All functionality/Protocols work (Only on Windows Platforms) Java Based – Only TCP Traffic (no UDP) and Applications (Application List needs to be provided) – Transparent Mode. Recommended for Mac and Linux platforms.

23 Endpunkt Analyse Prüfung der spezifischen Client-Kriterien
Scans können vor und nach dem Logon erfolgen Nutzung der Ergebnisse für Policy-Evaluierung und Vergabe der SmartAccess Zugriffsrechte Scan eines verbundenen Windows Clients auf jede mögliche Kombination von: Dateien Prozessen Registry Einträgen System Services Betriebssystem Hotfixes Client Zertifiate EPA Scans Available Files Processes Registry entries System services Operating System Hotfixes Client certificates Note: No EPA SDK available with AG EE

24 Client Scan Art des Benutzer Zugriffs und Zugriffsrechte
basieren auf den SmartAccess Policies & EPA Ergebnissen This scenario shows a typical AGEE logon experience with a pre-authentication scan followed by the choices page. Pre-authentication Scan If Successful, Displays the Logon Screen (UID/PWD) After authenticating, a sessions is created and the choices page is displayed

25 Einfaches Management und Administration
Management Console Einfache Wizards Um Standard-Aufgaben zu vereinfachen Für eine einfache Integration in XenApp Umgebungen Für komplexe Aufgaben Deligierte Administration Read-Only Operator Netzwerk Superuser Command Line Interface New Wizards created specifically to simplify product configuration and deployment. Delegated Administration – provides the administrator the ability to configure limited/full access to configure the appliance (e.g. For Help Desk and other Admins) . Rules that control what individual users may access and do on the Access Gateway Allow you to define what parts of the Access Gateway configuration a user or group is permitted to access and modify Regulate which commands, command groups, virtual servers, and other elements system users and groups are permitted to use - Read Only: Allows read-only access to all show commands except for the system command group and ns.conf show commands - Operator: Allows read-only access as above, and in addition allows access to enable and disable commands on services. This policy also allows access to set services and servers as ‘accessdown’ - Network: Permits near-total system access, excluding system commands and the shell command - Superuser: Grants full system privileges, giving exactly the same privileges as the nsroot user CLI – continues to support and provide for Administrators that need ability to create scripts and automate builds/configurations

26 Presentation Title Goes Here
Insert Version Number Here Skalierbarkeit 7000 Serie 2500 Benutzer 9000 Serie 5000 Benutzer Enterprise Edition offers the best scalability and performance of all the editions in the Access Gateway product line. 10000 Serie 10000 Benutzer = 100 © 2003 Citrix Systems, Inc.—All rights reserved.

27 High Availability Pairing
Presentation Title Goes Here Insert Version Number Here High Availability Pairing Master Netzwerk Health Check Pakete werden ausgetauscht vpn.company.com ( ) Backup Zwei Appliances können einen aktiv/passiv Cluster bilden Health-checking Pakete werden konstant zw. dem Paar ausgetauscht Wenn die primäre Appliance ausfällt, übernimmt die zweite die IP Adresse Benutzer Sessions sind auf HA ausgelegt Alle Sessions werden auf der zweiten Appliance repliziert “show aaa session” auf der zweiten Appliance zeigt die aktiven Benutzer When appliances are deployed in HA pair – they can be in Active/Passive mode only. For Active/Active mode – leverage the GSLB feature in NS. If due to failure, the active appliances is unavailable, the passive appliance takes over and the user session is seamlessly relocated onto the passive appliance. End user will see his VPN client reconnecting (almost instantly) without prompting for any credentials. Most applications will work and maintain state over a failover. (Some of the application will need to be re-initiated in order to establish connection with backend servers). – This is due to the type/mechanism of applications and not due to the failover. © 2003 Citrix Systems, Inc.—All rights reserved.

28 Andere Funktionen VoIP Support Universal Licensing Client-side Cleanup
Server-initiierte Verbindungen FIPS Compliance *Common Criteria Certification (H2-2008) AG Universal License Additional Features Available VoIP Support –Softphones and others supported Client-side cleanup – cleans up cache, history and other data files * Common Criteria Certification – Currently under certification – Targeted for End of year 2008

29 Unterscheidungsmerkmale
Citrix XenApp™ Windows Apps Integration with XenApp, XenDesktop and NetScaler provides the most significant value for the Access Gateway product line. This slide leads into the 3 platinum products and the integration value with each. Citrix NetScaler® Web Apps Citrix XenDesktop™ Windows Desktops

30 Citrix Access Gateway und XenApp
Citrix NetScaler® Web Applikationen Citrix XenApp™ Windows Applikationen In most organizations, someone in IT Infrastructure Operations is the one primarily responsible for the delivery of Windows-based applications. When this person looks down the line-of-sight from the datacenter to the users he/she is supporting, it looks something like this. Presentation Server is the application delivery controller that initiates the delivery process for Windows applications at the point-of-origin, so this product is the center of gravity for this individual. Products like Access Gateway, WANScaler and EdgeSight are common to all applications, so they are also essential to IT infrastructure ops. Users Citrix EdgeSight™ Monitoring der Performance aus Endbenutzersicht Citrix WANScaler™ Beschleunigter Anwendungszugriff für Nutzer in Zweigstellen Citrix Access Gateway™ Sicherer Zugriff auf Applikationen Apps Citrix XenDesktop™ Windows Desktops Sichere Bereitstellung von Windows Applikationen © 2008 Citrix Systems, Inc. — All rights reserved 30

31 Citrix SmartAccess – Überblick
andere SSL VPNs gehen nur bis hierher Wer? Welche Inhalte? Welche Aktionen? Endpunkt-Analyse und Authentifizierung Welcher User? Welches Gerät? Welcher Standort? Access Control XenApp Anwendungen Mail Server Web & File Server Netzwerk Ressourcen Launch über ICA Download Clipboard Save Print Use this slide to relate the previous analogy to how SmartAccess works. The real difference to competitors is that Citrix can control HOW the application is delivered. 31

32 Access Gateway und XenApp
Presentation Title Goes Here Insert Version Number Here Access Gateway und XenApp Die beste SSL VPN Lösung für XenApp Umgebungen Ersetzt das Secure Gateway durch eine gehärtete Appliance Single logon über Web Interface Unterstütztung für alle Appliationen und Protokolle Erweitert die Applikations- Bereitstellung um SmartAccess Sichere Anwendungs-Virtualisierung Discuss SmartAccess SG Replacements Secure Application virtualization © 2003 Citrix Systems, Inc.—All rights reserved. 32

33 Zugriff auf XenApp (ohne VPN)
Presentation Title Goes Here Insert Version Number Here URL aufrufen https://agee.corp.ctx Access Gateway terminiert SSL, authentifiziert den Anwender und überprüft das Endgerät Reverse Proxy überträgt zum Web Interface die Anmeldeinforma-tionen & Richtlinieneinstellungen WI stellte Anwendungen dar Anwender klickt auf Anwendungs-symbol Web Interface fordert ein Ticket vom XML Dienst Web Interface sendet Ticket in einer ICA Datei zum Anwender ICA Client erstellt ICA-Verbindung über SSL zum Access Gateway Access Gateway überprüft das Ticket ICA Sitzung wird aufgebaut Web Interface 4) HTTPS 3) HTTPS 1) SSL 8) SSL 6) XML 9) XML Access Gateway 10) ICA Client Presentation Server Farm Important points to remember: WI can point to any vpn vserver, not necessarily the one where users connect. WI must be able to resolve the FQDN of the virtual server WI must be able to route to the virtual server IP of HTTPS WI must trust the SSL certificate from a machine level. © 2003 Citrix Systems, Inc.—All rights reserved. 33

34 Modi für den Secure Gateway Ersatz
Pures Secure Gateway VPN Authentizierung ist OFF Web Interface im Direct Mode, übernimmt die Authentifizierung Secure Gateway mit Single Sign-On VPN Authentifizierung ist ON Web Interface im Indirect Mode Benutzer Credentials werden für SSO zum WI durchgereicht Secure Gateway with SmartAccess VPN Authentifizierung ist ON, Pre-auth und Post-auth EPA ist konfiguriert Web Interface im Indirect und “Access Gateway Enterprise” Mode XenApp für Filter & Access Policies konfiguriert Used for Secure Gateway Replacement – Different Modes SG can be deployed using AG-EE Pure SG Mode – Requires WI to authenticate and authorize the user for Access to XA Applications SG with SSO – Appliances authenticates user and SSO to WI SG with SmartAccess – Appliance authenticates users, pre-auth and post auth policies are configured, send to WI – in AG-E mode, filters and presents XA applications.

35 Citrix Access Gateway und XenDesktop
Citrix NetScaler® Web Applikationen Citrix XenApp™ Windows Applikationen In most organizations, someone in IT Infrastructure Operations is the one primarily responsible for the delivery of Windows-based applications. When this person looks down the line-of-sight from the datacenter to the users he/she is supporting, it looks something like this. Presentation Server is the application delivery controller that initiates the delivery process for Windows applications at the point-of-origin, so this product is the center of gravity for this individual. Products like Access Gateway, WANScaler and EdgeSight are common to all applications, so they are also essential to IT infrastructure ops. Users Citrix EdgeSight™ Monitoring der Performance aus Endbenutzersicht Citrix WANScaler™ Beschleunigter Anwendungszugriff für Nutzer in Zweigstellen Citrix Access Gateway™ Sicherer Zugriff auf Applikationen Apps Citrix XenDesktop™ Windows Desktops Sichere Bereitstellung von Windows Desktops © 2008 Citrix Systems, Inc. — All rights reserved 35

36 Sicherer Zugriff & Bereitstellung von Applikationen
Rechenzentrum Access Gateway ICA/CGP ICA + SSL HTTPS Virtual Desktops HTTPS - SSO XML User End user experience User points browser to Access Gateway URL Endpoint analysis may be performed before the logon page is displayed. The AG-E logon page appears. End user authenticates using single-factor or two-factor authentication After successful authentication, the Secure Access Client may be offered to the user, the user is redirected to the XenDesktop Web Interface site. XenDesktop Controller enumerates desktops without requiring another logon, user clicks a desktop icon Published desktop appears for the end user On logout, the Access Gateway logon page appears Notes AG-E supplies all pre-authentication EPA and logon pages Single sign-on works using the same callback method as AG-A SmartAccess is available and could be used to filter desktop availability XenDesktop Sichere Desktop Virtualisierung

37 Sichere Bereitstellung von Desktops mit Access Gateway & XenDesktop
Sichert die Bereitstellung von Remote Desktops Sichere Bereitstellung von virtualisierten Desktops SmartAccess Policies Bietet höchste Sicherheit bei der Übertragung von Daten Daten und Desktops verbleiben im Rechenzentrum Sicherheits-Policies sorgen für Endpunkt Geräte-Compliance Zentraler Desktop ist vom lokalen Desktop isoliert Ermöglicht Integration von Partner- oder Fremd-PC's ins Netzwerk Starke Vereinfachung des Desktop Managements Reduziert Desktop Computing Kosten um bis zu 40% XenDesktop takes simple virtualization to the next level by enabling IT departments to deliver and manage end user desktop deployment centrally and simply.

38 Access Gateway Redirecting zu XenDesktop
Access Gateway unterstützt standardmässig Single Sign-On zum Web Interface Verfügbare XenDesktops können auf SmartAccess basieren Benutzer ist mit seinem Desktop verbunden XenDesktop Session wird sicher über Access Gateway bereitgestellt Screenshots: 1. Access Gateway supports single sign-on to Web Interface by default 2. Available XenDesktops can be based on SmartAccess 3. User is connected to their desktop 4. XenDesktop session is securely delivered through Access Gateway

39 Secure Access und XenDesktop
Es wird eine sichere Verbindung zw. Client und Access Gateway aufgebaut SmartAccess entscheidet, welche Applikationen bereitgestellt werden XenDesktop Session wird über den Access Gateway Client getunnelt In this scenario a user is launching the Citrix Access Gateway client to establish a VPN connection. In addition a XenDesktop can be launched and is tunneled through the secure connection.

40 Citrix Access Gateway und NetScaler
Citrix NetScaler® Web Applikationen Citrix XenApp™ Windows Applikationen In most organizations, someone in IT Infrastructure Operations is the one primarily responsible for the delivery of Windows-based applications. When this person looks down the line-of-sight from the datacenter to the users he/she is supporting, it looks something like this. Presentation Server is the application delivery controller that initiates the delivery process for Windows applications at the point-of-origin, so this product is the center of gravity for this individual. Products like Access Gateway, WANScaler and EdgeSight are common to all applications, so they are also essential to IT infrastructure ops. Users Citrix EdgeSight™ Monitoring der Performance aus Endbenutzersicht Citrix WANScaler™ Beschleunigter Anwendungszugriff für Nutzer in Zweigstellen Citrix Access Gateway™ Sicherer Zugriff auf Applikationen Apps Citrix XenDesktop™ Windows Desktops Sichere Bereitstellung von Web Applikationen © 2008 Citrix Systems, Inc. — All rights reserved 40

41 Access Gateway und NetScaler: Business Continuity & Disaster Recovery
Global Server Load Balancing Umleitung von Client- Verbindungen zum nahest gelegenem / verfügbarem Rechenzentrum Implementierung von Multi-Site Disaster Recovery corp.xyz.com corp.xyz.com corp.xyz.com DR Site corp.xyz.com This example shows an active/passive deployment where there is a “hot standby” site that only receives users in the event a primary site becomes unavailable. Also, in this example all users are given the same URL (corp.cps.com) and GSLB transparently directs them to their appropriate primary site. In the event that a primary site becomes unavailable, its users will be transparently directed to the standby site. The impacted user group is still using the same URL to access the standby site, and may not even realize it is accessing a different site. Eine URL für die Website… …unterstützt “active-passive” Site Failover.

42 Access Gateway & NetScaler Application Firewall
Blocken von Applikations- Attacken Nur legitimierter Traffic geht durch Netzwerk Zugriff Web App Users Internet Citrix NetScaler Platinum Edition (incl. Access Gateway Enterprise Edition) Backend Server And that’s where the NetScaler Application Firewall module comes in. Integrated into Citrix NetScaler, it sits behind your network firewalls, in front of your important web applications, protecting them from attacks automatically with no signatures or updates required. Simply configure it once, and you’re done. It can actually be up and running in less than 30 minutes in most cases. Schutz von Web Applikationen & Daten im Backend

43 Neue Funktionen in Version 8.1
43

44 AG 8.1 – clientless, Browser-Only Zugriff
Funktion Beschreibung Auswirkung clientless, browser-only access Die Enterprise Edition unterstützt den clientless Zugriff (oder URL rewriting) für einfache Web Anwendungen, Web Interface und Microsoft Outlook Web Access. Signifikant für Access Gateway Advanced Edition Bitte beachten: Der clientless Zugriff auf Microsoft SharePoint wird weder unterstützt, noch ist der clientless VPN Zugriff konform mit den ICSA Standards

45 AG 8.1 – SmartAccess Erweiterungen
Funktion Beschreibung Auswirkung Access Scenario Fallback Die Zugriffs-Methode, wie sich ein Benutzer anmeldet kann automatisch per Fallback von full/clientless zu ICA geändert werden. Zusätzlich können Benutzer optional auswählen, welche Zugriffsmethode sie benutzen möchten. Access Gateway Advanced Edition

46 AG 8.1 – Wizards und Dokumentation
Funktion Beschreibung Auswirkung Veränderter Access Gateway Wizard und Published Applications Wizard Die neuen Wizards ermöglichen es Administratoren, die Enterprise Edition über simple Abläufte zu konfigurieren. Vereinfacht die Produkt-Verteilung durch Automation alltäglicher Abläufe wie z.B. Zertifikats-Management, Integration mit XenApp, Web Interface Konfiguration und Port Redirection. Überarbeitete Dokumentation Die Dokumentation der Enterprise Edition wird komplett überarbeitet – sie ist mehr an alltäglichen Aufgaben ausgerichtet und dadurch leichter verständlich. Verbessert die Möglichkeit und verringert Komplexität bei Verteilung der Enterprise Edition.

47 AG 8.1 – Portal Verbesserungen
Funktion Beschreibung Auswirkung NavUI accessible via clientless VPN Möglichkeit, Zugriff auf NavUI, incl. Veröffentlichten Anwendungen, Web Bookmarks und File Shares, via clientless VPN. Access Gateway Advanced Edition Erweiterung Web Interface-NavUI integration Neue Option für Web Interface Server – autom. Anzeige veröffentlichter Anwendungen in einem Teil der NavUI bei AG EE. Access Gateway Advanced Edition: ersetzt den Workaround, welcher nötig war, um HTLM Files manuell zu editieren. File-type association supported Enterprise Edition unterstützt nun auch Datei-tyische Verbindungen – bedarf manueller Einstellungen im Web Interface. Access Gateway Advanced Edition

48 AG 8.1 – Verbesserungen des Clients
Funktion Beschreibung Auswirkung Windows Vista support Windows Vista wird i.d. Enterprise Edition sowohl für EPA als auch für den Secure Access Client unterstützt. NDIS Treiber Anpassung an Access Gateway Standard Edition ermöglicht Client Koexistenz. Windows auto-logon Möglichkeit des Single Sign-On zum Secure Access Client, nachdem sich Benutzer an Windows XP oder Vista angemeldet hat. Access Gateway Standard Edition MSI packaging für Secure Access Client Secure Access Client wird als Standalone MSI Paket verfügbar sein. Ermöglicht Verteilung des Secure Access Client via standard SW Verteilungs-Tools. Secure Access Client UI an Access Gateway Standard Edition angelehnt Look & Feel des Secure Access Client ist konsistenter – z.B. Möglichkeit, per Doppelklick a.d. AG Icon zum Logon Fenster zu gelangen. Access Gateway Standard Edition parity item

49 Clientless Access – URL Rewriting
Erlaubt eine sichere Verbindung ohne installierte Client Software Unterstützung von: Portal Page Generischen Web Seiten Outlook Web Access Light Outlook Web Access Premium We will be providing access to the following applications in future releases: SharePoint 2003* SharePoint 2007*

50 Clientless Access – Email Support

51 Clientless Access - URL Rewriting
Rewrites URLS in 3 formats: If VPN access URL is https://gateway.company.com and the URL to be accessed in clientless mode via it will be encoded as:- Opaque - Base 64 encoding to obfuscate the domain and protocol (e.g. https://gateway.company.com/cvpn/aHR0cDovL2ludHJhbmV0/dir/file.html) Transparent - No encoding is used: domain and protocol is visible in the Clientless encoded URL (e.g. https://gateway.company.com/cvpn/http/intranet/dir/file.html) Encrypt - Domain and protocol are encrypted using the session key (e.g. https://gateway.company.com/cvpn/dsjDSdFke43Ffdef89nRkj39K83rj39hr3/dir/file.html) Rewritten URL ist https://gateway.corp.com/cvpn/aHR0cDovL3d3dy5nb29nbGUuY29t/

52 Access Gateway Wizards
Erstellen oder ändern eines SSL VPN Virtual Servers – Neu! Konfiguration von Zertifikaten – Neu! Konfiguration der Namensauflösung Konfiguration der Autorisierung Standard Action: Autorisierung – Neu! Konfiguration Port 80 Redirection – Neu! Konfiguration Clientless Access – Neu! Published Applications – Neu! ICA Verbindungen – Neu! The SSL VPN node has been renamed Access Gateway in 8.1. The SSL VPN Wizard has been renamed Access Gateway Wizard and includes new functionality

53 Client Zugriffsmöglichkeiten (Client Choices)
Bietet Benutzern die Möglichkeit, zw. Secure Access Client oder Web Interface zu wählen Benutzt Client Security Expressions für bedingte Kontrolle der Secure Access Client Verfügbarkeit Allows the end-user to choose the type of access that he/she desires (Based of post-authentication scans, also called “Client Security Expressions” – Note Quarantine Groups are not used)

54 Zugriffsszenario – Fallback
Zugriffsszenario Fallback benutzt Zusätzlich eine Quaratäne Gruppe zum “Client Security String” Quarantine In this case, instead of displaying the user with a ClientChoices page, the decision is automatically made and the user is either given full access or limited access (Clientless VPN or WI) (Post-Authentication scan also called “Client Security Expression” is used along with Quarantine Group concept)

55 Es werden drei Zugriffsmöglichkeiten angeboten
User Interface – Allows end-user to decide on the type of access he/she desires

56 Windows Interface Look and Feel in NavUI
Home Page Eintrag ist leer, um embedded WI zu unterstützen Better integration with WI website. The Administrator gets to set 2 settings – Compact and Normal. Der WI Mode kann auf "Normal" oder "Compact" eingestellt werden, aber das WI muss im gleichen Modus konfiguriert sein

57 Normal Modus The user has to use the scroll bar to move up and down to access XA applications- Iframe

58 Compact Modus Takes the applications and lists them in a windows that does not scroll. Fixed or Compact Mode

59 Custom Modus Feature Parity with AG-A Incase customer wants same look and feel. Procedure or Steps WI 4.2+ Open the file site/serverscripts/include.cs Make a backup copy of this file prior to making any edits. Find the getAGEAccessMode() method and change the return statement so that it always returns AGEAccessMode.EMBEDDED. Note following lines indicated in red: Open the file and edit the following lines as indicated in red. Find the getAGEAccessMode() method and change the return statement so that it always returns AGEAccessMode.EMBEDDED. It is recommended that you make a backup copy of this file prior to making any edits. /**  * Gets the access mode of the site when the Web Interface is being accessed via  * Access Gateway Enterprise. The access method determines the behaviour of the  * site.  * the current access mode, or null if the access mode was not recognised  * or the site is not being accessed via AGE.  */ public AGEAccessMode getAGEAccessMode() {     bool AGEIntegrationEnabled = getAuthenticationConfiguration().isEnabledMethod(AuthMethod.AGE_PASSTHROUGH);     AGEAccessMode accessMode = Session[SV_AGE_ACCESS_MODE] as AGEAccessMode;     //return AGEIntegrationEnabled ? accessMode : null;     return AGEAccessMode.EMBEDDED; } Save the File Test access through Access Gateway Advanced Edition. WI 4.5+ Open the file <site-root>\app_data\site\serverscripts\include.aspxf  * This method will return null if called before authentication has  * completed.     //return isAGEIntegrationEnabled() ? accessMode : null; Die WI Seite kann auf den Embedded Modus konfiguriert werden, wenn die Seite Eigenschaften angepasst werden siehe auch: CTX für Details

60 Netzwerk Übersicht To be used – If discussing Deployments/Networking and when Network Architects are included in meetings.

61 One-arm versus Two-Arm
One-arm Deployment 1) User Request 2) User Request 4) Server Response 3) Server Response Two-arm Deployment 1) User Request 2) User Request Discuss 1-arm and 2-arm deployments. Access Gateway – works in both deployment modes. It is based on customers preference which one they would like to deploy. 4) Server Response 3) Server Response

62 Fünf Typen von IP Addressen in Access Gateway
Virtual Server IP (VIP) Management IP (NSIP) Subnet IP / Mapped IP (SNIP/MIP) Intranet IP (IIP) IIP VIP SNIP/MIP Explain the different configuration IP’s on the Access Gateway. VIP – External IP address for the SSL VPN NSIP – Used to administer the Access Gateway SNIP/MIP – All internal communication takes place on these IP’s IIP – IP address allocated the SSL VPN client/end-user from an IP Pool. Communication from End user to back end servers takes place on this IP. A SNIP supports RIP, OSPF, BGP routing protocols Benutzer Backend Server NSIP Administration und Authentifikation

63 Basic Firewall und Port Rules
DNS 53 (UDP) NSIP AD / LDAP 443,80* (HTTP/TCP) NSIP 389/636 (TCP) VIP SNIP 80, 8080, 443 (HTTP/TCP) 1494, 2598 (TCP) XA & WI Benutzer Sample: Deployment for AG-EE (in the DMZ). Discuss AG IP’s and Functionality NSIP 443,80 (TCP/HTTP) 3010, 3008 ,22 (TCP) * Port 80 wird für https redirect benutzt AGEE Admin

64 Common Firewall und Port Requirements
Source Destination Port Use Internet VIP 443 SSL Virtual Server Connections 80 Port 80 Redirection NSIP Management Console 22, 80, 3008, 3010 SSH, Web Tool, Java Admin Tool LDAP Server 389 LDAP 636 Secure LDAP RADIUS Server 1812 RADIUS DNS Server 53 DNS queries regular gui uses port 80 for http and 3010 for applets. Secure gui uses 443 and 3008. Talk about what each port does and why it needs to be opened and what IP’s.

65 WI/CPS Firewall und Port Requirements
Source Destination Port Use MIP/SNIP Web Interface 80 WI over HTTP 443 WI over HTTPS CPS Server 1494 or 2598 ICA traffic VIP STA Server 8080 or 443 STA communication SSO Callback Similar Concept here. WI – SSO Callback – Important for SmartAccess capabilities.

66 Zusammenfassung 66

67 Übersicht Hardware & Software
Access Gateway 2000 Serie 7000 Serie 9000 Serie 10000 Serie NetScaler 12000 Serie Access Gateway Universal License Standard License XA and/or XD Platinum NetScaler Platinum 100 Universal Licenses inklusive Explain both the Hardware and the Software components (Licensing)

68 Überblick über die Access Gateway Produktlinie
Citrix NetScaler Corporate Intro Presentation Presentation Title Goes Here Presentation Title Goes Here Insert Version Number Here Insert Version Number Here August 2005 Überblick über die Access Gateway Produktlinie Einstiegs-Level SSL VPN. Kosteneffiziente, leicht zu implementierende und einfach zu administrierende Lösung für Unternehmen die eine sichere Remote Access Lösung suchen. Rollout des VPN-Clients auf einzelne Endgeräte entfällt, Client wird automatisch heruntergeladen. Standard Edition Ideal für kleinere und mittelgroße Firmen,(weniger als 500 Benutzer), bietet die Lösung SmartAccess-Funktionalität für flexible, granulare Zugriffskontrolle. Unterstützt zudem einen browserbasierten, clientlosen Zugriff auch für PDAs, Smartphones und Kiosk-Systeme. Advanced Edition First position the 3 editions as the product line, and then discuss the target market for each edition. Note that in 2007 the position for Advanced edition has changed to the mid-market, up to 500 users. Our primary focus for SSL VPN in 2007 and moving forward is the Enterprise Edition, however all editions are being developed and new released planned (i.e. we have no end-of lifed anything). Each edition serves it’s own market and purpose. Die SSL VPN Lösung für große Umgebungen – beste Skalierbarkeit, zentrales Management, HA-Option & integrierte Funktionen für Anwendungs-Beschleunigung und –optimierung. SmartAccess-Komponente ist integriert – es ist kein weiteren externen Server nötig. Enterprise Edition © 2004 Citrix Systems, Inc.—All rights reserved. © 2003 Citrix Systems, Inc.—All rights reserved. © 2003 Citrix Systems, Inc.—All rights reserved. 68 68 68

69 Positionierung Access Gateway Standard Edition
Ersetzt das Secure Gateway Appliance-basierte Lösung CCUs Basis SSL VPN Funktionalität Zielgruppe: kleinere Firmen Access Gateway Standard Edition Einfacher Einsatz und Verteilung Discuss: SG Replacement, Appliance Solution, User Base limit and SSL VPN functionality Customer likely to have a CXA environment Talk about how easy the product is to configure and deploy and how we still continue to SELL 1000’s of appliances every quarter. Make a point of how our partners have easily adopted this product line as it was seen more of a SG replacement Talk about limitations with scalability and enterprise level features such as HA, Clientless Access, Auth. Types of support and lack of SmartAccess things like that

70 Positionierung Access Gateway Advanced Edition
Standard Edition PLUS Ersetzt das Secure Gateway SmartAccess Funktionalität Browser-basierter Zugriff, keine Installation eines Clients nötig Zielgruppe: kleinere und mittelgroße Firmen Access Gateway Advanced Edition SmartAccess Discuss: SmartAccess and Clientless browser based access to Applications, Web and Files/Folders Has identical problems in regards to Scalability and enterprise level features Issues and Escalations with this product line.

71 Positionierung Access Gateway Enterprise Edition
Hight-End Produkt und Funktionaliäten SmartAccess Funktionalität Ersetzt das Secure Gateway Unterstützt Tausende Benutzer Zielgruppe: Enterprise Markt Access Gateway Enterprise Edition Höchste Performance & Skalierbarkeit Discuss: Enterprise class features like HA, optimization, scalability, compression and acceleration Support basic SmartAccess and SG Replacement functionality Although a strong SSL VPN product, competitors like Juniper and Cisco are 1-2 years ahead of us in terms of features and development effort. Hence we have limited play in the pure/true SSL VPN market or opportunities Strengths – Secure Application Access SmartAccess

72


Herunterladen ppt "Überblick, Positionierung & neue Funktionen"

Ähnliche Präsentationen


Google-Anzeigen