SSL RELAY:
The SSL VPN is a secure remote access solution that provides point-to-point
communication between remote users and an enterprise network. It does so by creating a
secure SSL-based tunnel between a user’s web browser and the citrix servers.
SSL VPN lets remote users
securely access a company’s networked enterprise resources, including:
i) Intranet or extranet websites
ii) Shared Windows file systems
iii) Native client/server applications (e.g., Outlook, Peoplesoft, and Oracle)
ICA ENCRYPTION:
The Citrix ICA protocol is used to transfer data between a client and the CPS
server. ICA has a mode called SecureICA that encrypts ICA traffic using RSA's
RC5 encryption. Since this level of encryption is not strong enough for
delivering data over the Internet, Citrix developed the Secure Gateway (SG).
SECURE GATEWAY:
The Secure Gateway (SG) is a software proxy server for securing CPS traffic. It
acts as an SSL gateway between ICA clients and the CPS server farm. Secure Gateway is limited to support Presentation Server traffic. In the "Double-Hop DMZ" setup the SG device in the first hop has access to the Web Interface and the authentication servers. Access to the Secure Ticketing Authority and CPS servers is through a proxy device occurs in the second hop.
ACCESS GATEWAY:
The Access Gateway is appliance based which includes support for additional applications
and protocols. The Access Gateway Enterprise Edition can handle all of your organization’s
remote access needs by securing traffic to applications hosted by Presentation
Server as well as access to corporate resources such as email, internal Web
applications, and network file shares. You can deploy the Access Gateway Enterprise Edition in a double-hop DMZ configuration to provide a single point-ofaccess to a server farm residing in an internal network. With this configuration, you must deploy two Access
Gateway appliances: one in the first hop of the DMZ and one in the second
hop of the DMZ. The Access Gateway in the second hop of the DMZ
operates as a proxy for ICA traffic traversing the second DMZ.
Configuration Details
You can set the system to run in the Secure Gateway mode using the set vpn
parameter -wiMode CSG command
> set vpn parameter -wiMode CSG
Note: By default, wiMode is set to NONE on the system.
Once the WI mode has been enabled, the set vpn parameter -homepage
command is used to configure the Web Interface homepage that the system
should redirect the user to. This is where the CPS applications are published
and can be accessed by the user.
To configure the WI homepage to http://wi.citrix.com/Metaframe, you can use
the command.
> set vpn parameter -homepage http://wi.citrix.com/Metaframe
The configured URL should contain the fully qualified domain name (FQDN) of
the WI server and the homepage.
Note: If the WI is a secure (HTTPS) server, the FQDN should be configured as https://
The VPN vserver can run in both the CSG and non-CSG (traditional VPN
functionality) modes at the same time, i.e., some user sessions can be in the
CSG mode and others in a non-CSG mode.
If CSG mode is enabled (on a session), on successful authentication, the VPN
plugin is not loaded; instead the browser is re-directed to the homepage
(which will be the WI homepage) and all HTTP requests are proxied to the WI.
Since the plugin is not running, none of the other backend resources (except
for CPS) is accessible.
However, If CSG mode is disabled, the VPN plugin gets loaded and the WI
becomes just another back-end service with it's traffic being intercepted.
Note: If the WI is in the SG mode pointing to the VPN vserver as the proxy, the VPN
vserver will automatically switch to CSG mode for the resulting ICA traffic.
Secure Ticketing Authority server configuration
Secure Ticketing Authority (STA) is a ticketing mechanism that issues SG
tickets for ICA connections. These tickets form the basis of authentication and
Access Gateway SSL VPN
Installation and Configuration Guide 6-97
authorization for ICA connections to a CPS server. It also stores the IP address
of the CPS server in the ticket and returns this address as part of the ticket
validation.
You can bind an STA server to the system either globally or to a particular VPN
vserver using the bind vpn global -staServer or the bind vpn vserver
-staServer commands.
bind vpn global -staServer <URL>
OR
bind vpn server -staServer <URL>
Note: STA servers will not be load balanced, since each STA server has a unique ID
and only the STA server that generated a ticket can validate it.
Configuring Double Hop
To configure double hop on the system, you can add a nextHopServer using
the add nextHopServer command.
You can configure a secure nextHopServer called nextHopServer1 with IP
address 192.168.12.15 using the command.
> add nextHopServer nextHopServer1 192.168.12.15 443
-secure ON
You can bind a nextHopServer to the system either globally or to a particular
VPN vserver using the bind vpn global -nextHopServer or the bind vpn
vserver -nextHopServer commands.
> bind vpn global -nextHopServer nextHopServer1.
Hints:
CSG: Citrix Secure Gateway
No comments:
Post a Comment