Citrix Secure Gateway Presentation.ppt
《Citrix Secure Gateway Presentation.ppt》由会员分享,可在线阅读,更多相关《Citrix Secure Gateway Presentation.ppt(55页珍藏版)》请在得力文库 - 分享文档赚钱的网站上搜索。
1、Installing Citrix Secure Gateway Andrew Wilmot Citrix Technical Business Development ManagerAbcd ITCitrix Technical OverviewCitrix Secure Gateway PresentationIntroduce Citrix Secure Gateway and explain how it delivers secure access to applications and content from the Internet.Review Citrix Portal p
2、roducts NFuse Classic, Enterprise Services for NFuse, and NFuse Elite.Discuss the special requirements for configuring Citrix Secure Gateway and NFuse on one Server.Go through the implementation step by step.What is Citrix Secure Gateway? Citrix Secure Gateway is a secure Internet gateway between Me
3、taFrame servers and ICA Client workstations that allows customers to simply and securely deliver applications across the Internet, on demand, to any device. Introducing Citrix Secure Gateway 1.1Citrix Secure Gateway controls ICA traffic between the Metaframe Server farm and the client on the Interne
4、t.It effectively hides the Metaframe Server from the Internet access is obtained via a secure SSL connection, brokered by CSG.CSG is a free product for users of Metaframe Xpa,s,e.Works in conjunction with NFuse Classic 1.7, NFuse Elite 1.0, and Enterprise Services for NFuse 1.7.NFuse Portal Products
5、NFuse Classic 1.7 Application Portal product providing end users with access to published applications over the web. Enterprise Services for NFuse 1.7 expands on NFuse Classic allowing you to publish applications from multiple MetaFrame XP for Windows and MetaFrame for UNIX server farms simultaneous
6、ly. NFuse Elite 1.0 Access Portal product that can be used as an Enterprise Information Portal (EIP), combining information from many sources in one place.Why Secure Access?Remote Employee Access (B2E).Business Application Deployment (B2B).Consumer Applications (B2C).Business Continuity.Must be Secu
7、re.Must be Cost Effective.Must allow access from anywhere.Must support different client device types.When to use Secure GatewayOne or more servers to support.Want to hide internal network addresses.Want to secure from DMZ.Need highly secure remote access solution.Dont want to use a VPN client.Need n
8、on-intrusive ICA client install i.e. access from Internet cafes using JAVA client.CSG ArchitectureFirewallFirewallCitrix Secure GatewayCitrixNFuseClientWorkstationsSecure ConnectivityAuthenticationAccess MgmtEXTERNALDMZ 203.12.216.51LANCitrix MF Server 192.168.0.100Alt Address 192.168.5.1ICA Port 14
9、94XML Port 8081IIS/STA Port 80Ports to open443 (Https and SSL)Ports to open80 (STA)8081 (XML)1494 (ICA)NAT 192.168.5.1-192.68.0.100CSG Traffic FlowHTTP/SXML-HTTP/80ICA/1494 443DMZICA/SSL 443.ICA fileCSG ComponentsCSG Service The CSG program itself.NFuse Classic or NFfuse Elite or ESNFuse Extensions
10、are now built into NFuse and do not need to be installed separately as they were in earlier versions.Secure Ticketing Authority Functions as a ticketing authority and issues tickets to portal users clients. These form the basis of authentication and authorization for ICA connections to a MetaFrame s
11、erver.Single Server can be used for CSG/NFuse Certain steps must be taken to ensure that works successfully see document from Alstom.CSG Ticketing Ticket Generation Ticket VerificationICA/1494 ICA File ICA/SSLNFuse Classic and CSG Connection ProcessUser accesses NFuse Classic portal page over Https:
12、/ connection from Web browser and logs in.NFuse requests the published resources from the MF XML Service, and the application page is populated with icons.User clicks on an application and address for the client is sent to the Secure Ticket Authority (STA) and a ticket is requested. The STA saves th
13、e IP address and issues the requested ticket to CSG server.NFuse server generates an ICA file containing the ticket issued by the STA and the FQDN of the CSG Server, and sends it to the clients Web browser. The Web browser passes the ICA file to the ICA Client, which launches an SSL connection to th
14、e CSG server.NFuse Classic and CSG Connection ProcessCSG server accepts the ticket from the ICA Client and uses information in the ticket to identify and contact the STA for ticket validation. If the STA is able to validate the ticket, it returns an IP address of the MetaFrame server on which the re
15、quested resource resides to the CSG server. CSG server receives the IP address for the MetaFrame server and it establishes an ICA connection to the MetaFrame server. CSG server monitors ICA data flowing through the connection, and encrypts and decrypts client-server communication.CSG ServiceWindows
16、2000 native ServiceRuns in DMZ, does not require IIS installed.Multi-threaded design (utilizes IO Completion Ports) for high efficiency and throughput.Utilises Microsoft S-Channel for SSL functions.Server certificate required for SSL server authentication.Build large CSG arrays for scalability and f
17、ault tolerance using industry standard external network load balancer.GUI configuration tool.Small benefit from PCI based SSL accelerators.Secure Ticketing AuthorityImplemented as ISAPI DLL so requires IIS.Extremely lightly loaded.Easily configurable through UI tool.Redundant STAs can be defined.Sho
18、uld not be accessible from outside DMZ.Communicates with CSG and NFuse via XML protocol over HTTP. Port configurable.Encryption and ConnectivitySecures ICA Traffic only.SSL v3.0 and TLS 1.0 with 128-bit encryption.Support for Public Key Infrastructure (PKIs).Single IP address is exposed to Internet.
19、Ease of firewall traversal (uses port 443 only).FirewallCitrix MetaFrame XP w/ Feature Release 1Citrix Secure GatewayCitrix NFuse 1.6 TechnologyICA and SSLSSL vs TLSSSL is an open, non-proprietary protocol that provides data encryption, server authentication, message integrity, and optional client a
20、uthentication for a TCP/IP connection. TLS is the latest, standardised version of the SSL protocol. TLS is an open standard and like SSL, TLS provides server authentication, encryption of the data stream, and message integrity checks. Support for TLS Version 1.0 is included in Feature Release 2 for
21、MetaFrame XP (Not in FR1) and clients from v6.30.Because there are only minor differences between SSL and TLS, the server certificates you use for SSL in your MetaFrame installation will also work for TLS.New in CSG v1.1 Windows 2000 certification.All logging to Windows system log.TLS v1.0 and SSL v
22、3.0.No NFuse Extensions Now native to NFuse Classic.Improved configuration Graphical User Interface NFuse Admin.Solaris edition.CSG and Java ClientZero footprint Client nothing to install on the local machine.Client is downloaded and executed via the browser.Ideal for accessing applications securely
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- Citrix Secure Gateway Presentation
限制150内