Direct Link to 3109.PPT

How to Configure Citrix Access Gateway for Advanced Access Control

Aaron Cockerill, Dir. Product ManagementPatrick Boucher, Senior Sales EngineerHopeful Owitti, Senior Architect

2 © 2005 Citrix Systems, Inc.—All rights reserved.

Agenda

1 Access Gateway for Advanced Access Control

2 Advanced Access Control Console

3 Examining the Endpoint Security SDK

4 Conclusion


Citrix Delivers Access Security

Perimeter Security Establishes a barrier to keep malicious attacks from affecting the productivity of the organization

Access Security Provides regulated access to the business resources users need to perform their duties


Secure Access Challenges

• Anywhere access to business applications and data

• Expanding access to more users and device types cost-effectively

• Prevent downtime and business loss from security breaches

• Meet or exceed security, privacy and regulatory concerns

Mobile PDA

Kiosks

Partner Machine

Corporate Laptop

Home Computer


Endpoint security, identification, and integrity validation

The Customer Problems

Centralized access control to all IT

resources

Hardened Appliance

Control over how information and

applications can be used

Internet

Mobile PDA

Home Computer

Partners

Fir

ewal

l

File Servers

Web or App Servers

CPS ApplicationsLocal Users

AccessGateway

AdvancedAccess Control

Corporate Laptop

Email Servers

Desktops & Phones

Fir

ewal

l

Consistent user experience

Consistent user experience

• Bandwidth• Latency• Device

idiosyncrasies

Cannot access from behind firewalls

Access from widely varying devices

Minimize re-authentication on re-connect

Need access to all internal IT resources


Citrix Access Strategy

EnterpriseSingleSign-On

IntegratedApproach

SSL VPN

Access Rights Management

EnterpriseSingle

Sign-On

End-PointSecurity

Real-TimeCollaboration

User Assistance

Application Delivery

Piece-Part Approach

Security, Interoperability& Management Gaps

Visibility & Reporting

SSL VPNAccess Rights Management

End-PointSecurity

Real-TimeCollaboration

UserAssistance

Application Delivery

Secure, Integrated, Flexible & Extensible


Product Components

Access Gateway Advanced Access Control

+• Access Gateway hardened appliance

in DMZ • Enables end-to-end secure

communication via SSL• Authentication point• Enforces policies generated by

Advanced Access Control

• Deployed in a secured network• Deployed on Windows Server platform• Centralizes administration, management &

policy based access control• Centralized reporting and auditing• Manages endpoint analysis and client

delivery• Extends access to more devices and

scenarios• Advanced policy engine with action control


Advanced Access ControlFeatures & Benefits

Feature Function Benefit

Policy-based Access and Action Control

Detect and adapt policies based on access scenario to control the flow of the organization’s sensitive data

• Granular access controls• Intellectual property protection• Extend user’s access to more

situations• Enhances security without

effecting the user experience

Endpoint Analysis Determines client device status for access policies and provides device remediation.

• Enables corporate and regulatory compliance

• Extensible with industry standard development tools to meet customer needs

Browser-only Access Access with any web browser on any device to web sites, files, and email

• No additional client components• Ubiquitous access

Mobile Device Awareness Re-factored email and file interface for PDAs and small-form factor devices

• Seamless device transition• User productivity

Extended Access Control for Presentation Server

Policy-based control of Presentation Server using end-point analysis and network location awareness

• Address regulatory and security concerns

• Enhances Web Interface

Centralized Logging and Trend Reporting

Provide sophisticated usage data for troubleshooting and planning

• Improved management• Easy integration with 3rd party tools


SmartAccess Technology

Extensive policy-based sense and response

–Automatically reconfigures the appropriate level of access as users roam between devices, locations and connections

–Advanced, extensible end-point security policies and analysis

–Action control defines what the user can access, and what actions they can take


Analyze Access Scenario :• Analyze endpoint to ensure connections are:

– Safe – ensure connection will not harm corporate infrastructure– Trusted – analyze user, machine, and network identity to ensure the connection is

being made as claimed– Secure – ensure malicious parties cannot attack corporate infrastructure from

connecting devices

• Provide an extensible architecture (via SDK) to allow customers and 3rd parties to easily create custom scans

SmartAccess: Overview

Analyze Access Scenario

Machine Identity:• NetBIOS name• Domain Membership• MAC address

Machine Configuration• Operating System• Anti-Virus System• Personal Firewall• Browser

Network Zone• Login Agent

Authentication MethodCustom Endpoint Scans



Analyze Endpoint & Connection Implement Access Control

• CPS applications • File & network shares (UNCs)• Web based email• Web sites (URLs)• Web applications• Email & application synchronization




Authentication MethodClient Certificate QueriesCustom Endpoint Scans

Policy Based Access Control:• Situational or contextual access control based on user

membership, authentication strength, device and connection to ensure IT resources are not exposed to unwarranted risk


Full download of documentsLiveEdit

• Edit locally• Save back to server• Retain in memory during edit• Avoid data leakage on client

Preview documents with HTML• Access from PDAs• View without application on client

Attach to email• Avoid data transmission to client

CPS Applications• Control available applications• Limit local mapped drives & printing

Analyze Endpoint & Connection Implement Access Control Implement Resource Usage Control

• CPS applications • File & network shares (UNCs)• Web based email• Web sites (URLs)• Web applications• Email & application synchronization




Authentication MethodCustom Endpoint Scans


Intellectual Property Control:• Manage the use of sensitive information by:

– controlling how information is accessed and used(CPS, HTML Preview, LiveEdit etc.)

– controlling what can be done with that information(download, print, save, copy, etc.)

– ensuring no data is left on the local machine

• Enable companies to log all access

SSL-VPNs


Granular Access Controls

• File Preview• Web E-mail• Controlled

Presentation Server Access

• File Download• Local Edit and Save• File Upload

• E-mail Sync• Web E-mail• Full Presentation Server Access• Full Presentation Server App Set

• Edit in Memory• Limited Presentation Server access

(read-only local drive mapping)• Limited Presentation Server

application set• File Preview• File Upload• E-mail Sync• Web E-mail

Corporate Desktop

Remote Corporate Device

Public Kiosk


Browser-only Access

• Extend access to any device with a browser

• Absolutely no client required

• Deliver e-mail, file shares, web sites/applications to any device with a browser

• Automatically render Microsoft Office documents to HTML preview


Browser-only Access: Overview

• For use when an Access Gatewayclient is not deployed

• Obfuscates internal URLs

• Controls client-side caching

• Enforces access control

• Provides access to:Protected Web Sites Web ProxyFile Shares Nav UIWeb email Outlook Web Access,

iNotes, or Nav UI


Mobile Device Awareness

• Support for small form-factor devices:– Nav UI

– Web Email

– File Browser

– HTML Preview

– Email as attachment

• Supported platforms:– Palm

– RIM Blackberry

– PocketPC 2000/2003

– Microsoft Smartphones


• User types in the logon point URL into the PDA browser

• User enters login credentials, including two-factor as necessary

• After successful authentication, user is informed of session start

• User is presented with the file and email interface

Mobile Device Awareness:User Experience


Mobile Device Awareness:User Experience

• Create/view email

• Access shared or mapped drives

• Access, view and email Microsoft Office files without download

• Email documents from file shares


Access Gateway and Advanced Access Control 4.2

Access Gateway Advanced Access Control

+

Defining a new level of control and access!


Agenda




4 Conclusion


Agenda

1 Access Gateway with Advanced Access Control

2 Advanced Access Control Console• Overview

• Creating Resources

• Authentication and Logon Points

• Creating and Applying Policies

• Access Scenarios


4 Conclusion


Designing an Access Strategy

1. Inventory all IT resources

2. Group resources into levels of sensitivity

3. Define end user access scenarios

4. Associate end user access scenarios with levels of sensitivity

5. Develop phased approach to implementation

Partner MachineMobile PDACorporate Laptop Home ComputerCorporate Laptop File Servers


Advanced Access Control

Advanced Access Control includes: – Policy-based access control

– Action rights control

– Clientless access

– Roaming policies


ConfiguringAdvanced Access Control

• Add Resources

– Web, Files, Email, Network Connections, Presentation Server

• Configure the Access Gateway within the Access Console

• Configure Authentication

– Support for Strong Authentication like SafeWord Tokens

• Configure Logon Point Properties

• Create Policies to control resource access

Important: By default, users are denied access to network resources until you create policies

that grant them access permission.


Agenda








4 Conclusion


Creating Web Resources

• Web pages or web sites

• Group related URLs as a single Web resource

• Pass-through authentication methods:

Optional Settings:

– Bypass URL rewriting

– Interface common for all browser types

Web/App Servers


Creating Web Resources


• Shared directories

• Group related shares as a single resource

• You can use variables

• Publish a file share

– Browse to File Share

– Navigate to unpublished shares

– Access controlled by policy

File Servers

Creating File Share Resource


Creating File Share Resource


• Supported Web email applications

– Microsoft Outlook Web Access

– Lotus Notes/Domino

• Microsoft OWA Supports Small Form Factor Devices

Note: Enter the URL of the load balancer as the start page

Creating EMail Resource

E-mail Servers


Creating EMail Resource


Creating Network Resources

• TCP / UDP access via Secure Access Client

• Securely connect to services through the Access Gateway

• Simply specify a server and the port(s)

Corporate Laptop

OK

Internet

Fir

ewal

l

Fir

ewal

l

Secure Gateway

File Servers

Web or App Servers

Presentation Server Applications

E-mail Servers

IP Phones


Creating Network Resources


Accessing Presentation Server

• Access published applications

• Apply policies to Citrix Presentation Server: – Published applications

– Workspace Control

– Policies like client-drive mapping and local printing

Presentation Server


Accessing Presentation ServerStep #1 – Presentation Sever Console


Accessing Presentation ServerStep #2 – AAC Console


Within Advanced Access Control:• Web Interface as a Web application

– Single Sign On Optional

• File type association

– Documents available via related Presentation Server Applications

• Access center

– Program Neighborhood or Embedded Application

Within Citrix Presentation Server 4.0:• Associate Published resources to AAC policies

• Allow connections through MetaFrame Secure Access Manager

• Trust requests sent to the XML Service

Alternatives Means toAccessing Presentation Server


Configuring the Access Gateway

• Administer the appliance using:– Access Gateway Administration Tool

– Access Suite Console


• Configure IP routing

• Configure static routes

• Leverage RIP and RIP2

Configuring the Access GatewayFrom the Access Suite Console


Resource Groups

• Group resources into a single entity

• Requires fewer total policies

• Eases policy administration


Resource Groups


Agenda








4 Conclusion


Advanced Authentication

• Advanced Authentication Types– Secure Computing SafeWord

– RSA SecurID

– LDAP

– RADIUS


The Logon Point


Logon Points

– Defines the logon page for users

– Specifies settings that are applied to user sessions

– Specifies authentication strength

– Specifies the home page

– Specifies the MetaFrame Presentation Server farms

The Logon Point


• Testing With Your Sample Logon Point– SampleLogonPoint at:

– Http://Server-Name/CitrixLogonPoint/SampleLogonPoint

Important: The sample logon point is designed for testing purposes only

The Logon Point


The Logon Point


• Multiple Logon Agents can point to an Advanced Access Control Farm

• Logon Points are only available when deployed by an administrator

Deploying the Logon Point


Agenda








4 Conclusion


Policies - Controlling Access

• Dynamic control to resources and connections

• You can create two types of policies: – Connection Policies control Secure Access Client connections

– Access Policies are granular permissions to resources

• When configuring policies, you define: – Users / Groups

– Conditions when the policy applies

The access scenario is the information about the user and the user’s client device. This information is used to determine policy enforcement.


Creating Connection Policies

Connections that use the Secure Access Client

• Assign filters to connection policies– Filters are conditions that define when the policy applies

• One of the filters is a continuous scan filter– A scans that monitors during the entire user session

– Disconnection occurs when the client device ceases to meet the requirements


Creating Connection Policies


Creating Access Policies


Creating Policy Filters

• Three types of conditions – Logon point - access based on the URL the user

connects to the network

– Authentication strength - whether users authenticate with passwords only or use advanced authentication

– Endpoint analysis scan outputs - based on information gathered by endpoint analysis scans

Remember your filters can be used within Citrix Presentation Server


Creating Policy FiltersEndPoint Analysis


Creating Policy FiltersFilter Creation


Accessing the Entire Network

• All servers and services on your secure network

• Use Entire Network resource to– quickly set up your deployment and test access

– provide unlimited access to a special class of user, such as adminstrators who need wide access for disaster recovery or emergency operations

– provide open access by default and later develop policies that deny access to specified resources according to your security plan

CPS Applications Web or App Servers File ServersEmail Servers Desktops & Phones


Accessing the Entire Network


Agenda








4 Conclusion


Access Scenario #1

• User Access Profile– Corporate Sales Employee

– iForum Internet Kiosk

– Located within Mandalay Bay, Las Vegas


End User Experience Partial Access

Internet

Fir

ewal

l

Fir

ewal

l

Secure Gateway

Advanced AccessControl

Corporate Laptop

Partner Machine

Mobile PDA

Kiosk Computer

• Download and Access Information:• Full download• Download to memory only• Access via CPS only• Preview in HTML only

• Edit and Save Changes:• Save locally• Save only to network• Save disabled

• Print• Print locally• Print to selected printers• Printing disabled

• Presentation Server Applications

OK

Web or App Servers


File Servers

E-mail Servers

IP Phones


Access Scenario #2

• User Access Profile– Employee of a Partner Organization

– Partner Provisioned Desktop (UNTRUSTED)

– Located within Partner Organization Office



Internet

Fir

ewal

l

Fir

ewal

l

Secure Gateway


Corporate Laptop

Partner Machine

Mobile PDA

Home Computer




• Presentation Server Application

OKWeb or App Servers


File Servers

E-mail Servers

IP Phones


Access Scenario #3


– Corporate Provisioned Laptop

– Located within Mandalay Bay, Las Vegas



Internet

Fir

ewal

l

Fir

ewal

l

Secure Gateway


Corporate Laptop

Partner Machine

Mobile PDA

Home Computer





OK

Web or App Servers


File Servers

E-mail Servers

IP Phones


Access Scenario #4


– Corporate Provisioned Laptop

– Located within Corporate Remote Office Location


End User Experience Full Access

Internet

Fir

ewal

l

Fir

ewal

l

Secure Gateway


Corporate Laptop

Partner Machine

Mobile PDA

Home Computer





Web or App Servers


File Servers

E-mail Servers

IP Phones

OK


Agenda


2 Implementing Advanced Access Control


4 Conclusion


Agenda




• Endpoint Analysis Overview

• Endpoint Analysis SDK

• Developing Custom Scans

4 Conclusion


Resource Usage Control

Access Control Action Control

Edit

User Scenario

View Only Print

Save

Endpoint Sensing

What Action can the user take?

Essence of SmartAccess

Which User

Who can access what data?

User Status

• Presentation Server

applications

• File & Network shares

• Web-based email

• Web sites

• Web applications

• Email & application

synchronization

• Machine Identity

• Machine

Configuration

• Network Zone

• Authentication

Method

• Custom Scans

• Copy/Paste

• Save

• Print

• Preview

• Save to network

• Save locally

• Log access

Endpoint Analysis

Policy-based Access

• NetBIOS name• Domain membership• MAC address • Operating System• Anti-Virus System• Personal Firewall• Browser Type• Device location (internal or external)• Machine logon (Windows, Novell, etc)• Strong Authentication (RSA Security, Secure Computing, ActivCard)


Implementation Requirements

• Win32 Clients

• Microsoft Internet Explorer 5 or 6 with cookies enabled and permission to load signed ActiveX controls, if distributing the ActiveX control

• Netscape Navigator 7 or greater or Mozilla Firefox, if distributing the browser plug-in


Endpoint Analysis Terminology

• Endpoint Analysis gathers information about client devices accessing your networks and verifies that data against pre-set requirements

• Endpoint Scans allow you to enforce policies based on scan results– Define properties to verify on the client device

– Define conditions under which the scan is run

• Rules contain sets of conditions defining when to run the scans and which conditions to verify – Multiple rules can apply to one scan package

• Scan Outputs contain information detected from the client device or Boolean expressions indicating a true/false scan result.

Example:

• Internet Explore Scan:– property to verify on client = version– condition to run scan = logon point

• Rules:

– All Win32 clients except XP & 2003• Because XP & 2003 have version 6 needed

– When logon point = CtxExternal• Because CtxInternal is used by employees who

know better

• Outputs:

– Return true if version is 6 or greater!


Endpoint Device

Internet DMZ Protected Network (LAN)

High-Level Architecture

Access Gateway

Advanced Access Control Services

Administration Layer (CMI)

Data Layer

EPAClientObject

Packagecode

EPAProxy

Logon Agent Service

EPAActivation Page

Deployment Service

EPAWeb

service

Packagecode

EPAtables

EPA Business Objects

EPAAdmin UI


Endpoint Device

Internet DMZ Protected Network (LAN)

High-Level Architecture

Access Gateway



Data Layer

EPAClientObject

Packagecode

EPAProxy

Logon Agent Service

EPAActivation Page

Deployment Service

EPAWeb

service

Packagecode

EPAtables


EPAAdmin UI

Endpoint Device

Access Gateway



Data Layer

EPAClientObject

Packagecode

EPAProxy

Logon Agent Service

EPAActivation Page

Deployment Service

EPAWeb

service

Packagecode

EPAtables


EPAAdmin UI

Native Win32 DLL - ActiveX control or plug-in that hosts the enquiries

Generates the client-side code to deploy (if necessary) and start the EPA Client object on the endpoint device when a new session request is detected

Forwards requests from the EPA client to the EPA Service

• Executes server-side package code to generate client enquiries• Performs post-processing on results for use by policy engine

• Code modules for both client and server side execution• Cached locally by Service and Proxy components• Script or C/C++ native DLLs according to the whims of package authors• Extracted from DB and deployed to Service and Proxy using the Deployment Service

• Code modules for both client and server side execution• Cached locally by Service and on endpoint device• Script or C/C++ native DLLs according to the whims of package authors• Extracted from DB and deployed to Service using the Deployment Service

Extension of the farm database to hold the contents of packages and associated rules

.Net assembly objects that form abstraction layer over the database tables

• Package rule configuration• Extensions to Logon Agent configuration related to EPA (mutual trust, service location)• Delivered as a .NET assembly


Client Browser

post invoked with results

Access Gateway

begin login sequence

Evaluation Process

Access Control&

Policy Engine

connect

agent activation +initial enquiries

requests for package code, or intermediate data

package code, or more enquiries

post scan output

login or access denied page GO/NO-GO

transformed final results

Logon AgentService

1 2

3

4

5execute scanAGENT

6

7

9

EPA WebService

8

EPA Proxy


Endpoint Analysis Client

• ActiveX or Plugin client that requires user confirmation to execute

• Includes Control Applet to manage trusts and cache – code is cached to ApplicationData\Citrix\EPA

• Provides flexible range of security, identity, and device integrity checks on client machines


Endpoint Analysis – FYI

• Endpoint analysis completes before the user session consumes a license – requires user’s permission to initiate scan

• Code and data sent to client does not reveal success criteria for evaluation

• The client agent and the endpoint analysis server are stateless

• Client caches downloaded code by site• Command line utilities available for

updating parameters and data sets

• Disallowed error page can be customized


Agenda







4 Conclusion


Visual Studio .Net Add-in

• Extends existing Visual Studio concepts– New Endpoint Analysis Solution and File

Types

– Wizard driven package development

– Extend Solution and Project Properties

– Extend build environment to auto-generate .cab file

• Package Developer “Fills in the Blanks” to provide new Analysis functionality

• Contains all projects associated with a package

• Allows use of Visual Studio tools for localizing packages via Resource Files


Visual Studio .Net Add-in

Client-side detection code

Server-side enquiry code


Agenda







4 Conclusion


Environment Setup

• Install Microsoft Visual Studio .Net 2003

• Download and Install the Endpoint Analysis SDK:– http://apps.citrix.com/cdn

• Add EPA Include path to INCLUDE environment variable or within Visual Studio– Located by default: C:\Program Files\Citrix\

EndpointAnalysisSdk\Include

• Install dependant APIs or Executables if needed

• Create Advanced Access Control testing environment


• Determine cab file location

• Cab file is imported as a scan package within Access Suite Console

• Identify your package

• Use company domain for URI value

• Determine development language

• C++ or VBScript

• Define first boolean output

• Additional outputs can be defined later

• Outputs can be boolean, strings, integers or version but only boolean outputs used in policies

Step 1 – Create Project Stub

• Launch Visual Studio and create new project


Step 2 – Edit Package Properties

• Select File -> Edit Endpoint Analysis Package Properties

• Edit Version and other general properties if desired

• Add more outputs if needed

• Outputs can be used for logging or as input parameters to other scans

• Modify Parameter List

• Parameters can have range of valid values to compare against output

• Value lists can be updated using command line utilities

• Define additional prerequisites

• Prerequisites determine conditions for code execution

• Define entry point for Dispatcher Code

• RequestScan entry point defined by default

• Specify required prerequisites and parameters for the entry point


Step 3 – Code and Debug

ClientDownload.cpp hosts client detection logic

Define exportable function on the client. Server component is instructed what function to call.


Step 3 – Code and Debug

Dispatcher.cpp contains server-side detection code

Entry points added automatically when set in the EPA properties screen – signature includes two parameters:• IEPAEnvironment: registers client

queries and provides access to datasets IEPAParameterCollection: Contains parameters defined in scan properties


Step 4 – Package and Deploy

• Building the solution creates a cab file for the scan package in the designated directory

• Cab file contains:– An XML manifest that describes the operation of the

EPA package

– Zero or more bitmaps to server as icons within the Access Suite Console

– One or more code or script files (code modules in script format or Win32 Dlls)

– One or more resource files (one per language into which the vendor has localized the package)

• Deploy the cab file in test environment– Import the cab file through the Access Suite

Console

– Deploy the cab file from within Visual Studio


Questions?


Agenda




4 Conclusion


Before you leave…

• Recommended related breakout sessions:– 3113: Protecting Intellectual Property with the

Citrix Access Suite 4.0• Tuesday, October 11@ 9:00am -- 9:50am

– 2128: Citrix Access Gateway, the Best Way to Secure Citrix Presentation Server

• Tuesday, October 11@ 3:30 -- 4:20pm

• Session surveys are available online at www.citrixiforum.com Tuesday, October 11 (please provide feedback)

• Breakout session handouts are located at the Breakers Registration Desk South

http://www.citrixiforum.com/


• Learn how Citrix leads the industry in access products that deliver the best access experience.

– Where: Mandalay Bay Ballroom I

– When: Monday 12pm – 3pm; Tuesday 10am -4pm

• Meet the Architects – Monday & Tuesday: 1pm – 3pm

Citrix Technology Lab

Direct Link to 3109.PPT

Documents

Transcript of Direct Link to 3109.PPT