Direct Link to 3109.PPT
Upcoming SlideShare
Loading in...5
×
 

Direct Link to 3109.PPT

on

  • 765 views

 

Statistics

Views

Total Views
765
Views on SlideShare
765
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The aim of this slide is to explain why Citrix is different to security companies like Symantec, Cisco, Checkpoint, etc. We would categorize these companies as “Protective Security”. Citrix is part of the “Access Security” category. Some other companies in “Access Security” would be the SSL/VPNs, although they only have a tactical point solution. Importantly, customers need both Protective and Access Security, and we partner strongly in the Protective space. “Access Security” explains how Citrix fits into the security space, and our solutions are uniquely good at simultaneously: Providing a more secure architecture (secure by design), and Making access easier for users .
  • These points are generally very well known by customers. By putting them here we are setting the stage and showing customers that we understand their pain points. The different access scenarios are grouped into relatively straight-forward (Corporate laptops, home & partner machines), and more advanced (Mobile PDA & Kiosk). While most people are looking for access from the first group, the second are challenges to organizations with more advanced access needs
  • This slide details various access problems from customers. Customers wants: Their connecting endpoints are trusted and secure End users have a consistent access experience, regardless of if they are inside or outside the network. Leverage a secure, hardened appliance in the DMZ Provide a centralized management point for all of their resources Lastly, control how information can be used or accessed. Challenges customers face with solutions in the market today: Limited access from behind the firewall (e.g. IPSec VPNs) Increasing number of mobile users are leveraging small form factor devices Require access to information from anywhere, anytime to stay competitive (kiosk, home, etc.) Combination of slow bandwidth & limited usability often lead to frustrated users
  • If you try to build a complete Access Infrastructure without Citrix you end up with a collection of different pieces from different vendors – pieces that do not fit well together. On the other hand, Citrix offers a complete Access Infrastructure, where the pieces all fit together consistently. Even if you want to start building an Access Infrastructure with a single piece like an SSL VPN, you need to know that you can go back and need the other components when necessary. Only Citrix offers this solution. An SSL VPN is a tactical piece part of an overall Access Solution – a proof point here is that other SSL VPNs are integrating with Citrix Presentation Server – acceptance that they see more is needed for a complete solution, and that Presentation Server is key.
  • In September, the customers will be able to replace their Secure Gateway in the DMZ with the Access Gateway. The Advanced Access Control will continue to be deployed inside the secure LAN on a server running Windows 2000 Server or Windows Server 2003. What is the advantage of deploying AAC inside the network? The main reason Advanced Access Control is deployed in the secure network, as oppose to the DMZ, is because we believe sensitive information (user information, management configuration, access policies) should reside inside the secure network.
  • Policy based access control grants or denies access to resources based on a rule or set of rules created by the organization. Those resources can be anything from Files shares, Web servers, email servers and even Presentation server. The combination of endpoint analysis and access control defines a typical SSL-VPN - based on some endpoint analysis, the SSL VPN product allows or denies user access to resources. This is a very restricting Yes or No access, and does not leave room for the often “maybes”.
  • Citrix Access Gateway with Advanced Access Control introduces a new level of Action Rights control. That means, in addition to features of a typical SSL VPN, administrators can control how users can make use of the data.
  • This is the action slide (the do), looking from the perspective of three different access perspectives.
  • In addition to fulfilling the best access experience through full and partial Secure Access Client for managed devices access, Advanced Access Control also offers client-less access to information from anywhere, anytime by providing access to protected web sites, email, and file shares.
  • This slides summarizes the various AAC components available on SFF devices.
  • Illustrates what our email interface looks like from a Pocket PC. One of the advantages of using this interface is that it will allow users to preview, send documents as attachments without downloading them to the device.
  • In September, the customers will be able to replace their Secure Gateway in the DMZ with the Access Gateway. The Advanced Access Control will continue to be deployed inside the secure LAN on a server running Windows 2000 Server or Windows Server 2003. What is the advantage of deploying AAC inside the network? The main reason Advanced Access Control is deployed in the secure network, as oppose to the DMZ, is because we believe sensitive information (user information, management configuration, access policies) should reside inside the secure network.
  • David following the 5 steps to design and create a secure access infrastructure for his users.
  • 4
  • In this scenario, the endpoint analysis identified that Jerry is working from a partner’s computer – one that is susceptible to inadvertent leakage of information. Since this access scenario is considered a risk, the Advanced Access Control only grants Jerry partial access policy to certain IT resources
  • In this scenario, the endpoint analysis identified that Jerry is working from a partner’s computer – one that is susceptible to inadvertent leakage of information. Since this access scenario is considered a risk, the Advanced Access Control only grants Jerry partial access policy to certain IT resources
  • In this scenario, the endpoint analysis identified that Jerry is working from a partner’s computer – one that is susceptible to inadvertent leakage of information. Since this access scenario is considered a risk, the Advanced Access Control only grants Jerry partial access policy to certain IT resources
  • David has set up a policy to prevent user access from home machines. When Jerry attempts to access IT resources from his home PC, he is immediately denied access.
  • Action Control allows us to specify WHAT the user can actually do. Manages the use of sensitive information by: controlling how information is accessed and used (Citrix Presentation Server, File preview, etc…) controlling what can be done with that information (print, save, copy, etc…) ensuring no data is inadvertently left on the local machine References to HIPPA or SOX would be good to talk about because it is not just about controlling black and white access to resources. It is about controlling how those resources can be accessed based on the user or device situation.
  • Scan Groups and Scan Packages : EPA scan packages are distributed into .CAB archive format and contain the following data: An XML manifest that describes the operation of the EPA package Zero or more bitmaps to server as icons One or more code or script files (code modules in script format or Win32 Dlls) One or more resource files (one per language into which the vendor has localized the package) When a package is imported, all data contained in the package is added to the Access Gateway Enterprise configuration database. Any package may be removed from the system, provided that there are no rules configured for the package. Packages are globally and uniquely identified by an author-assigned URI and by a version number. These values are taken from the package manifest. Scan Groups do not serve any purpose other than to arrange the Scan Packages by their function for ease of administration. Administrators are also able to create their own Scan Groups for organizational purposes. The default Scan Groups and Scan Packages are as follows: Anti-Virus McAfee VirusScan McAfee VirusScan Enterprise Edition Norton Anti-Virus Personal Symantec AntiVirus Enterprise Trend OfficeScan Browser Checks Internet Explorer Internet Explorer Update Netscape Navigator Custom Checks Machine Groups Domain Membership MAC Address Miscellaneous Checks OS Checks Windows Service Pack Windows Update Personal Firewall McAfee Desktop Firewall McAfee Personal Firewall Microsoft Windows Firewall Norton Personal Firewall ZoneAlarm ZoneAlarm Pro Other Scan Packages These Scan Packages are installed but not exposed in the Access Suite Console and must be imported manually. These are located in C:Program FilesCitrixAccess Gateway EnterpriseBinEPAPackages for a default installation. Use the “Import Scan Package” option from the Common Tasks menu in the Task Panel if you plan on creating Scans based on one of these Scan Packages. Trivial Package – input Boolean value is supposed to become its output Minimal package – returns true if the input string is found within the browser’s User-Agent header Watermark package – takes the hive, key and value names and expected value (as prompted) and returns true if there is such a registry key on the client. Scans Scans define the properties verified on the client device and the conditions under which the scan is run. Scans also produce scan outputs which can be used in filters for policies as well as conditions for other scans. Scan conditions include the following: Logon Points Client Device Regional Locale The Output of another Scan Rules Rules are sets of conditions and properties that define when a scan is applied and what to look for on a client. For example, apply a scan if connecting client devices are running a specific operating system (condition one) and connect from a specified logon point (condition two), and compare the results of the scan to the configured property values to decide if the scan outputs should indicate success, or failure. Rules to scans are the functional equivalent of filters to policies. The condition sets depend on the Scan Package that you are creating the rule under. The comprehensive table in the “ Considerations Section ” details information on what data each Scan Package is looking for when you are configuring your Rules. Data Sets Data sets are text files in CSV format that contain data to which scan output can be compared to. For example, you may want to control access based on the MAC address of a known corporate asset. To do this you would simply create a data set containing all the MAC addresses for your corporate devices and create a new MAC Address Scan Package Scan. Configure a new Rule which compares the Scan Output to the data set.
  • Step by step interaction flow diagram of Citrix’s endpoint analysis.
  • Step by step interaction flow diagram of Citrix’s endpoint analysis.
  • Scan Groups and Scan Packages : EPA scan packages are distributed into .CAB archive format and contain the following data: An XML manifest that describes the operation of the EPA package Zero or more bitmaps to server as icons One or more code or script files (code modules in script format or Win32 Dlls) One or more resource files (one per language into which the vendor has localized the package) When a package is imported, all data contained in the package is added to the Access Gateway Enterprise configuration database. Any package may be removed from the system, provided that there are no rules configured for the package. Packages are globally and uniquely identified by an author-assigned URI and by a version number. These values are taken from the package manifest. Scan Groups do not serve any purpose other than to arrange the Scan Packages by their function for ease of administration. Administrators are also able to create their own Scan Groups for organizational purposes. The default Scan Groups and Scan Packages are as follows: Anti-Virus McAfee VirusScan McAfee VirusScan Enterprise Edition Norton Anti-Virus Personal Symantec AntiVirus Enterprise Trend OfficeScan Browser Checks Internet Explorer Internet Explorer Update Netscape Navigator Custom Checks Machine Groups Domain Membership MAC Address Miscellaneous Checks OS Checks Windows Service Pack Windows Update Personal Firewall McAfee Desktop Firewall McAfee Personal Firewall Microsoft Windows Firewall Norton Personal Firewall ZoneAlarm ZoneAlarm Pro Other Scan Packages These Scan Packages are installed but not exposed in the Access Suite Console and must be imported manually. These are located in C:Program FilesCitrixAccess Gateway EnterpriseBinEPAPackages for a default installation. Use the “Import Scan Package” option from the Common Tasks menu in the Task Panel if you plan on creating Scans based on one of these Scan Packages. Trivial Package – input Boolean value is supposed to become its output Minimal package – returns true if the input string is found within the browser’s User-Agent header Watermark package – takes the hive, key and value names and expected value (as prompted) and returns true if there is such a registry key on the client. Scans Scans define the properties verified on the client device and the conditions under which the scan is run. Scans also produce scan outputs which can be used in filters for policies as well as conditions for other scans. Scan conditions include the following: Logon Points Client Device Regional Locale The Output of another Scan Rules Rules are sets of conditions and properties that define when a scan is applied and what to look for on a client. For example, apply a scan if connecting client devices are running a specific operating system (condition one) and connect from a specified logon point (condition two), and compare the results of the scan to the configured property values to decide if the scan outputs should indicate success, or failure. Rules to scans are the functional equivalent of filters to policies. The condition sets depend on the Scan Package that you are creating the rule under. The comprehensive table in the “ Considerations Section ” details information on what data each Scan Package is looking for when you are configuring your Rules. Data Sets Data sets are text files in CSV format that contain data to which scan output can be compared to. For example, you may want to control access based on the MAC address of a known corporate asset. To do this you would simply create a data set containing all the MAC addresses for your corporate devices and create a new MAC Address Scan Package Scan. Configure a new Rule which compares the Scan Output to the data set.
  • User opens browser and points to Access Gateway. Access Gateway detects a new session and deploys the endpoint scan client. Scan client is activated. It calls to dispatchers to retrieve scan parameters Dispatchers retrieve scan scripts and parameters via Endpoint Analysis Web Service. Browser downloads necessary endpoint analysis modules if not cached on endpoint. Modules are stored in the database and deployed from EAS and scan operations execute EPA client posts results to Endpoint Analysis Web Service via Access Gateway and EAS executes transformation modules on results. May repeat from step 4 until all needed data is collected Access Gateway posts transformed results to Authentication Service. EAS queries Policy Engine to determine if authentication is allowed If yes, display the authentication page, otherwise provide feedback to instruct on steps for remediation. At authentication, results are stored with session data
  • Screenshot of end point analysis scan loading – what the user sees.
  • Endpoint analysis completes before the user session consumes a license. Endpoint analysis supports examination of Windows-based products and client software only. You can log endpoint analysis events through the system Event Viewer. Configure logging options in access server farm properties. Logged events indicate what properties are scanned and the scan output, or results. User permission required to initiate scans You can use the CtxEpaParamUpdate utility to update the required property values for a scan. This command is designed for use as a scheduled task on a server with the management console installed. Use the following syntax: You can use CtxEpaDataSetUpdate to script or schedule updates to data sets. For example, you might prefer to create your own script to automate a task such as updating the pattern file number required for an antivirus program. Use the following command options (switches) with this utility: The client agent and the endpoint analysis server are stateless. If Endpoint Analysis is allowed to build session state e.g. in the database, then the creation of this state is, potentially, a route for a denial of service attack. To avoid this possibility all state is managed as data passed between client and server (and server and client), in a cookie like manner, until a successful logon. Code and data sent to the client does not reveal the success criteria for an evaluation. That is, it is not possible to extract from the code and data sent to the client the configuration required to allow the client machine to be presented with a logon page. Client scanning may be iterative. That is information already gathered from a client may be used to decide whether or not further information should be gathered from the client. All interactions between the client and the Endpoint Analysis server are proxied through the Logon Agent. That is there is no direct connection between the client and any part of the server other than the connection to the logon agent. The client is given no information about names or addresses of other server side components until Endpoint Analysis has finished and the user has successfully logged on. The interaction between Endpoint Analysis and the Access Policy is performed by the Logon Agent. That is there is no direct connection between Endpoint Analysis and the Access Control Policy. The interaction of between Endpoint Analysis and the database take place via the MSAM data layer and specific Endpoint Analysis business objects. That is the access to database is intermediated by a scriptable layer exporting common operations to the UI and to scripts. The output of Endpoint Analysis is a set of Boolean variables to be read by the Malibu Access Policy. This is a ‘first release’ restriction imposed by the access control policy implementation. The client caches downloaded code by site. Ideally a site would only able to run code on the client that it has downloaded to the client. However this policy is too restrictive in that, for example, it prohibits a user from using code downloaded via a Logon Agent on the LAN from using that code when connecting to the same network when accessed via a different Logon Agent from the Internet. To mitigate this problem we allow a Logon Agent to run code if: 1. The Logon Agent has downloaded the code to the client, or 2. The code was downloaded to the client by another Logon Agent and there is mutual trust between the two Logon Agents. Mutual trust is established by each Logon Agent asserting to the client that it trusts the other Logon Agent. Mutual trust means that each Logon Agent both trusts the code supplied by the other agent and trusts the other agent to use the code it supplies. In effect mutual trust is a way of causing a group of Logon Agents to behave as a single Logon Agent from the point of view of Endpoint Analysis. Trust assertions are made when enquiries are downloaded to a client agent. The client agent caches these trust assertions. A trust assertion is of the form that the enquirer trusts a set of Logon Agents. The set of Logon Agents is allowed to include the enquirer. Such inclusion has no effect on the trust relations (i.e. the meaning of the trust assertion is the same whether or not the enquirer is included in the set) and is included only to allow a common set to be used across a number of Logon Agents.

Direct Link to 3109.PPT Direct Link to 3109.PPT Presentation Transcript

  • How to Configure Citrix Access Gateway for Advanced Access Control Aaron Cockerill, Dir. Product Management Patrick Boucher, Senior Sales Engineer Hopeful Owitti, Senior Architect
  • Agenda 1 Access Gateway for Advanced Access Control 4 Conclusion 3 Examining the Endpoint Security SDK 2 Advanced Access Control Console
  • Citrix Delivers Access Security
    • Perimeter Security Establishes a barrier to keep malicious attacks from affecting the productivity of the organization
    Access Security Provides regulated access to the business resources users need to perform their duties
  • Secure Access Challenges
    • Anywhere access to business applications and data
    • Expanding access to more users and device types cost-effectively
    • Prevent downtime and business loss from security breaches
    • Meet or exceed security , privacy and regulatory concerns
    Mobile PDA Kiosks Partner Machine Corporate Laptop Home Computer
  • The Customer Problems Endpoint security, identification, and integrity validation Centralized access control to all IT resources Hardened Appliance Control over how information and applications can be used Internet Mobile PDA Home Computer Partners Firewall File Servers Web or App Servers CPS Applications Local Users Access Gateway Advanced Access Control Corporate Laptop Email Servers Desktops & Phones Firewall Consistent user experience Consistent user experience
    • Bandwidth
    • Latency
    • Device idiosyncrasies
    Cannot access from behind firewalls Access from widely varying devices Minimize re-authentication on re-connect Need access to all internal IT resources
  • Citrix Access Strategy Enterprise Single Sign-On Integrated Approach SSL VPN Access Rights Management Enterprise Single Sign-On End-Point Security Real-Time Collaboration User Assistance Application Delivery Piece-Part Approach Security, Interoperability & Management Gaps Visibility & Reporting SSL VPN Access Rights Management End-Point Security Real-Time Collaboration User Assistance Application Delivery Secure, Integrated, Flexible & Extensible
  • Product Components Access Gateway Advanced Access Control +
    • Access Gateway hardened appliance in DMZ
    • Enables end-to-end secure communication via SSL
    • Authentication point
    • Enforces policies generated by Advanced Access Control
    • Deployed in a secured network
    • Deployed on Windows Server platform
    • Centralizes administration, management & policy based access control
    • Centralized reporting and auditing
    • Manages endpoint analysis and client delivery
    • Extends access to more devices and scenarios
    • Advanced policy engine with action control
  • Advanced Access Control Features & Benefits
    • Enables corporate and regulatory compliance
    • Extensible with industry standard development tools to meet customer needs
    Determines client device status for access policies and provides device remediation. Endpoint Analysis
    • Granular access controls
    • Intellectual property protection
    • Extend user’s access to more situations
    • Enhances security without effecting the user experience
    Detect and adapt policies based on access scenario to control the flow of the organization’s sensitive data Policy-based Access and Action Control
    • Improved management
    • Easy integration with 3 rd party tools
    Provide sophisticated usage data for troubleshooting and planning Centralized Logging and Trend Reporting
    • Seamless device transition
    • User productivity
    Re-factored email and file interface for PDAs and small-form factor devices Mobile Device Awareness
    • Address regulatory and security concerns
    • Enhances Web Interface
    Policy-based control of Presentation Server using end-point analysis and network location awareness Extended Access Control for Presentation Server
    • No additional client components
    • Ubiquitous access
    Access with any web browser on any device to web sites, files, and email Browser-only Access Benefit Function Feature
  • SmartAccess Technology
    • Extensive policy-based sense and response
      • Automatically reconfigures the appropriate level of access as users roam between devices , locations and connections
      • Advanced, extensible end-point security policies and analysis
      • Action control defines what the user can access, and what actions they can take
    • Analyze Access Scenario :
    • Analyze endpoint to ensure connections are:
      • Safe – ensure connection will not harm corporate infrastructure
      • Trusted – analyze user, machine, and network identity to ensure the connection is being made as claimed
      • Secure – ensure malicious parties cannot attack corporate infrastructure from connecting devices
    • Provide an extensible architecture (via SDK) to allow customers and 3 rd parties to easily create custom scans
    SmartAccess: Overview Analyze Access Scenario
    • Machine Identity:
      • NetBIOS name
      • Domain Membership
      • MAC address
    • Machine Configuration
      • Operating System
      • Anti-Virus System
      • Personal Firewall
      • Browser
    • Network Zone
      • Login Agent
    • Authentication Method
    • Custom Endpoint Scans
  • SmartAccess: Overview Analyze Endpoint & Connection Implement Access Control
    • CPS applications
    • File & network shares (UNCs)
    • Web based email
    • Web sites (URLs)
    • Web applications
    • Email & application synchronization
    • Machine Identity:
      • NetBIOS name
      • Domain Membership
      • MAC address
    • Machine Configuration
      • Operating System
      • Anti-Virus System
      • Personal Firewall
      • Browser
    • Network Zone
      • Login Agent
    • Authentication Method
    • Client Certificate Queries
    • Custom Endpoint Scans
    • Policy Based Access Control:
    • Situational or contextual access control based on user membership, authentication strength, device and connection to ensure IT resources are not exposed to unwarranted risk
  • SmartAccess: Overview
    • Intellectual Property Control:
    • Manage the use of sensitive information by:
      • controlling how information is accessed and used (CPS, HTML Preview, LiveEdit etc.)
      • controlling what can be done with that information (download, print, save, copy, etc.)
      • ensuring no data is left on the local machine
    • Enable companies to log all access
    • Full download of documents
    • LiveEdit
      • Edit locally
      • Save back to server
      • Retain in memory during edit
      • Avoid data leakage on client
    • Preview documents with HTML
      • Access from PDAs
      • View without application on client
    • Attach to email
      • Avoid data transmission to client
    • CPS Applications
      • Control available applications
      • Limit local mapped drives & printing
    Analyze Endpoint & Connection Implement Access Control Implement Resource Usage Control
    • CPS applications
    • File & network shares (UNCs)
    • Web based email
    • Web sites (URLs)
    • Web applications
    • Email & application synchronization
    • Machine Identity:
      • NetBIOS name
      • Domain Membership
      • MAC address
    • Machine Configuration
      • Operating System
      • Anti-Virus System
      • Personal Firewall
      • Browser
    • Network Zone
      • Login Agent
    • Authentication Method
    • Custom Endpoint Scans
    SSL-VPNs
  • Granular Access Controls
    • File Preview
    • Web E-mail
    • Controlled Presentation Server Access
    • File Download
    • Local Edit and Save
    • File Upload
    • E-mail Sync
    • Web E-mail
    • Full Presentation Server Access
    • Full Presentation Server App Set
    • Edit in Memory
    • Limited Presentation Server access (read-only local drive mapping)
    • Limited Presentation Server application set
    • File Preview
    • File Upload
    • E-mail Sync
    • Web E-mail
    Corporate Desktop Remote Corporate Device Public Kiosk
  • Browser-only Access
    • Extend access to any device with a browser
    • Absolutely no client required
    • Deliver e-mail, file shares, web sites/applications to any device with a browser
    • Automatically render Microsoft Office documents to HTML preview
  • Browser-only Access: Overview
    • For use when an Access Gateway client is not deployed
    • Obfuscates internal URLs
    • Controls client-side caching
    • Enforces access control
    • Provides access to:
      • Protected Web Sites Web Proxy
      • File Shares Nav UI
      • Web email Outlook Web Access, iNotes, or Nav UI
  • Mobile Device Awareness
    • Support for small form-factor devices:
      • Nav UI
      • Web Email
      • File Browser
      • HTML Preview
      • Email as attachment
    • Supported platforms:
      • Palm
      • RIM Blackberry
      • PocketPC 2000/2003
      • Microsoft Smartphones
  • Mobile Device Awareness: User Experience
    • User types in the logon point URL into the PDA browser
    • User enters login credentials, including two-factor as necessary
    • After successful authentication, user is informed of session start
    • User is presented with the file and email interface
  • Mobile Device Awareness: User Experience
    • Create/view email
    • Access shared or mapped drives
    • Access, view and email Microsoft Office files without download
    • Email documents from file shares
  • Access Gateway and Advanced Access Control 4.2 Access Gateway Advanced Access Control + Defining a new level of control and access!
  • Agenda 1 Access Gateway for Advanced Access Control 4 Conclusion 3 Examining the Endpoint Security SDK 2 Advanced Access Control Console
  • Agenda 1 Access Gateway with Advanced Access Control 4 Conclusion 3 Examining the Endpoint Security SDK
    • Advanced Access Control Console
      • Overview
      • Creating Resources
      • Authentication and Logon Points
      • Creating and Applying Policies
      • Access Scenarios
  • Designing an Access Strategy
    • Inventory all IT resources
    • Group resources into levels of sensitivity
    • Define end user access scenarios
    • Associate end user access scenarios with levels of sensitivity
    • Develop phased approach to implementation
    CPS Applications Web or App Servers File Servers Email Servers Desktops & Phones Partner Machine Mobile PDA Corporate Laptop Home Computer Corporate Laptop File Servers
  • Advanced Access Control
    • Advanced Access Control includes:
      • Policy-based access control
      • Action rights control
      • Clientless access
      • Roaming policies
  • Configuring Advanced Access Control
    • Add Resources
      • Web, Files, Email, Network Connections, Presentation Server
    • Configure the Access Gateway within the Access Console
    • Configure Authentication
      • Support for Strong Authentication like SafeWord Tokens
    • Configure Logon Point Properties
    • Create Policies to control resource access
    Important: By default, users are denied access to network resources until you create policies that grant them access permission.
  • Agenda 1 Access Gateway with Advanced Access Control 4 Conclusion 3 Examining the Endpoint Security SDK
    • Advanced Access Control Console
      • Overview
      • Creating Resources
      • Authentication and Logon Points
      • Creating and Applying Policies
      • Access Scenarios
  • Creating Web Resources
    • Web pages or web sites
    • Group related URLs as a single Web resource
    • Pass-through authentication methods:
    • Optional Settings:
      • Bypass URL rewriting
      • Interface common for all browser types
    Web/App Servers
  • Creating Web Resources
    • Shared directories
    • Group related shares as a single resource
    • You can use variables
    • Publish a file share
      • Browse to File Share
      • Navigate to unpublished shares
      • Access controlled by policy
    Creating File Share Resource File Servers
  • Creating File Share Resource
    • Supported Web email applications
      • Microsoft Outlook Web Access
      • Lotus Notes/Domino
    • Microsoft OWA Supports Small Form Factor Devices
    • Note: Enter the URL of the load balancer as the start page
    Creating EMail Resource E-mail Servers
  • Creating EMail Resource
  • Creating Network Resources
    • TCP / UDP access via Secure Access Client
    • Securely connect to services through the Access Gateway
    • Simply specify a server and the port(s)
    Internet Firewall Firewall Secure Gateway File Servers Web or App Servers Presentation Server Applications E-mail Servers Corporate Laptop  OK IP Phones
  • Creating Network Resources
  • Accessing Presentation Server
    • Access published applications
    • Apply policies to Citrix Presentation Server:
      • Published applications
      • Workspace Control
      • Policies like client-drive mapping and local printing
    Presentation Server
  • Accessing Presentation Server Step #1 – Presentation Sever Console
  • Accessing Presentation Server Step #2 – AAC Console
    • Within Advanced Access Control:
    • Web Interface as a Web application
      • Single Sign On Optional
    • File type association
      • Documents available via related Presentation Server Applications
    • Access center
      • Program Neighborhood or Embedded Application
    • Within Citrix Presentation Server 4.0:
    • Associate Published resources to AAC policies
    • Allow connections through MetaFrame Secure Access Manager
    • Trust requests sent to the XML Service
    Alternatives Means to Accessing Presentation Server
  • Configuring the Access Gateway
    • Administer the appliance using:
      • Access Gateway Administration Tool
      • Access Suite Console
    • Configure IP routing
    • Configure static routes
    • Leverage RIP and RIP2
    Configuring the Access Gateway From the Access Suite Console
  • Resource Groups
    • Group resources into a single entity
    • Requires fewer total policies
    • Eases policy administration
  • Resource Groups
  • Agenda 1 Access Gateway with Advanced Access Control 4 Conclusion 3 Examining the Endpoint Security SDK
    • Advanced Access Control Console
      • Overview
      • Creating Resources
      • Authentication and Logon Points
      • Creating and Applying Policies
      • Access Scenarios
  • Advanced Authentication
    • Advanced Authentication Types
      • Secure Computing SafeWord
      • RSA SecurID
      • LDAP
      • RADIUS
  • The Logon Point
    • Logon Points
      • Defines the logon page for users
      • Specifies settings that are applied to user sessions
      • Specifies authentication strength
      • Specifies the home page
      • Specifies the MetaFrame Presentation Server farms
    The Logon Point
    • Testing With Your Sample Logon Point
      • SampleLogonPoint at:
      • Http://Server-Name/CitrixLogonPoint/SampleLogonPoint
    The Logon Point Important: The sample logon point is designed for testing purposes only
  • The Logon Point
    • Multiple Logon Agents can point to an Advanced Access Control Farm
    • Logon Points are only available when deployed by an administrator
    Deploying the Logon Point
  • Agenda 1 Access Gateway with Advanced Access Control 4 Conclusion 3 Examining the Endpoint Security SDK
    • Advanced Access Control Console
      • Overview
      • Creating Resources
      • Authentication and Logon Points
      • Creating and Applying Policies
      • Access Scenarios
  • Policies - Controlling Access
    • Dynamic control to resources and connections
    • You can create two types of policies:
      • Connection Policies control Secure Access Client connections
      • Access Policies are granular permissions to resources
    • When configuring policies, you define:
      • Users / Groups
      • Conditions when the policy applies
    The access scenario is the information about the user and the user’s client device. This information is used to determine policy enforcement.
  • Creating Connection Policies
    • Connections that use the Secure Access Client
    • Assign filters to connection policies
      • Filters are conditions that define when the policy applies
    • One of the filters is a continuous scan filter
      • A scans that monitors during the entire user session
      • Disconnection occurs when the client device ceases to meet the requirements
  • Creating Connection Policies
  • Creating Access Policies
  • Creating Policy Filters
    • Three types of conditions
      • Logon point - access based on the URL the user connects to the network
      • Authentication strength - whether users authenticate with passwords only or use advanced authentication
      • Endpoint analysis scan outputs - based on information gathered by endpoint analysis scans
    Remember your filters can be used within Citrix Presentation Server
  • Creating Policy Filters EndPoint Analysis
  • Creating Policy Filters Filter Creation
  • Accessing the Entire Network
    • All servers and services on your secure network
    • Use Entire Network resource to
      • quickly set up your deployment and test access
      • provide unlimited access to a special class of user, such as adminstrators who need wide access for disaster recovery or emergency operations
      • provide open access by default and later develop policies that deny access to specified resources according to your security plan
    CPS Applications Web or App Servers File Servers Email Servers Desktops & Phones
  • Accessing the Entire Network
  • Agenda 1 Access Gateway with Advanced Access Control 4 Conclusion 3 Examining the Endpoint Security SDK
    • Advanced Access Control Console
      • Overview
      • Creating Resources
      • Authentication and Logon Points
      • Creating and Applying Policies
      • Access Scenarios
  • Access Scenario #1
    • User Access Profile
      • Corporate Sales Employee
      • iForum Internet Kiosk
      • Located within Mandalay Bay, Las Vegas
  • End User Experience Partial Access Internet Firewall Firewall Secure Gateway Advanced Access Control
    • Download and Access Information:
      • Full download
      • Download to memory only
      • Access via CPS only
      • Preview in HTML only
    • Edit and Save Changes:
      • Save locally
      • Save only to network
      • Save disabled
    • Print
      • Print locally
      • Print to selected printers
      • Printing disabled
    • Presentation Server Applications
    Corporate Laptop Partner Machine Mobile PDA Kiosk Computer  OK Web or App Servers Presentation Server Applications File Servers E-mail Servers IP Phones
  • Access Scenario #2
    • User Access Profile
      • Employee of a Partner Organization
      • Partner Provisioned Desktop (UNTRUSTED)
      • Located within Partner Organization Office
  • End User Experience Partial Access Internet Firewall Firewall Secure Gateway Advanced Access Control
    • Download and Access Information:
      • Full download
      • Download to memory only
      • Access via CPS only
      • Preview in HTML only
    • Edit and Save Changes:
      • Save locally
      • Save only to network
      • Save disabled
    • Print
      • Print locally
      • Print to selected printers
      • Printing disabled
    • Presentation Server Application
    Corporate Laptop Partner Machine Mobile PDA Home Computer  OK Web or App Servers Presentation Server Applications File Servers E-mail Servers IP Phones
  • Access Scenario #3
    • User Access Profile
      • Corporate Sales Employee
      • Corporate Provisioned Laptop
      • Located within Mandalay Bay, Las Vegas
  • End User Experience Partial Access Internet Firewall Firewall Secure Gateway Advanced Access Control
    • Download and Access Information:
      • Full download
      • Download to memory only
      • Access via CPS only
      • Preview in HTML only
    • Edit and Save Changes:
      • Save locally
      • Save only to network
      • Save disabled
    • Print
      • Print locally
      • Print to selected printers
      • Printing disabled
    • Presentation Server Applications
    Corporate Laptop Partner Machine Mobile PDA Home Computer  OK Web or App Servers Presentation Server Applications File Servers E-mail Servers IP Phones
  • Access Scenario #4
    • User Access Profile
      • Corporate Sales Employee
      • Corporate Provisioned Laptop
      • Located within Corporate Remote Office Location
  • End User Experience Full Access Internet Firewall Firewall Secure Gateway Advanced Access Control
    • Download and Access Information:
      • Full download
      • Download to memory only
      • Access via CPS only
      • Preview in HTML only
    • Edit and Save Changes:
      • Save locally
      • Save only to network
      • Save disabled
    • Print
      • Print locally
      • Print to selected printers
      • Printing disabled
    • Presentation Server Applications
    Corporate Laptop Partner Machine Mobile PDA Home Computer Web or App Servers Presentation Server Applications File Servers E-mail Servers IP Phones  OK
  • Agenda 1 Access Gateway with Advanced Access Control 4 Conclusion 3 Examining the Endpoint Security SDK 2 Implementing Advanced Access Control
  • Agenda 1 Access Gateway with Advanced Access Control
    • Conclusion
    • Examining the Endpoint Security SDK
      • Endpoint Analysis Overview
      • Endpoint Analysis SDK
      • Developing Custom Scans
    2 Implementing Advanced Access Control
  • Essence of SmartAccess Resource Usage Control Which User Who can access what data? User Status Endpoint Analysis Policy-based Access
    • NetBIOS name
    • Domain membership
    • MAC address
    • Operating System
    • Anti-Virus System
    • Personal Firewall
    • Browser Type
    • Device location
    • (internal or external)
    • Machine logon
    • (Windows, Novell, etc)
    • Strong Authentication
    • (RSA Security, Secure
    • Computing, ActivCard)
    Access Control Action Control Edit User Scenario + View Only Print Save Endpoint Sensing What Action can the user take?
    • Presentation Server applications
    • File & Network shares
    • Web-based email
    • Web sites
    • Web applications
    • Email & application synchronization
    • Machine Identity
    • Machine Configuration
    • Network Zone
    • Authentication Method
    • Custom Scans
    • Copy/Paste
    • Save
    • Print
    • Preview
    • Save to network
    • Save locally
    • Log access
  • Implementation Requirements
    • Win32 Clients
    • Microsoft Internet Explorer 5 or 6 with cookies enabled and permission to load signed ActiveX controls, if distributing the ActiveX control
    • Netscape Navigator 7 or greater or Mozilla Firefox, if distributing the browser plug-in
  • Endpoint Analysis Terminology
    • Endpoint Analysis gathers information about client devices accessing your networks and verifies that data against pre-set requirements
    • Endpoint Scans allow you to enforce policies based on scan results
      • Define properties to verify on the client device
      • Define conditions under which the scan is run
    • Rules contain sets of conditions defining when to run the scans and which conditions to verify – Multiple rules can apply to one scan package
    • Scan Outputs contain information detected from the client device or Boolean expressions indicating a true/false scan result.
    • Example:
    • Internet Explore Scan:
      • property to verify on client = version
      • condition to run scan = logon point
    • Rules:
      • All Win32 clients except XP & 2003
        • Because XP & 2003 have version 6 needed
      • When logon point = CtxExternal
        • Because CtxInternal is used by employees who know better
    • Outputs:
      • Return true if version is 6 or greater!
  • High-Level Architecture Endpoint Device Internet DMZ Protected Network (LAN) Access Gateway Advanced Access Control Services Administration Layer (CMI) Data Layer EPA Client Object Package code EPA Proxy Logon Agent Service EPA Activation Page Deployment Service EPA Web service Package code EPA tables EPA Business Objects EPA Admin UI
  • High-Level Architecture Endpoint Device Internet DMZ Protected Network (LAN) Access Gateway Advanced Access Control Services Administration Layer (CMI) Data Layer EPA Client Object Package code EPA Proxy Logon Agent Service EPA Activation Page Deployment Service EPA Web service Package code EPA tables EPA Business Objects EPA Admin UI Native Win32 DLL - ActiveX control or plug-in that hosts the enquiries Generates the client-side code to deploy (if necessary) and start the EPA Client object on the endpoint device when a new session request is detected Forwards requests from the EPA client to the EPA Service
    • Executes server-side package code to generate client enquiries
    • Performs post-processing on results for use by policy engine
    • Code modules for both client and server side execution
    • Cached locally by Service and Proxy components
    • Script or C/C++ native DLLs according to the whims of package authors
    • Extracted from DB and deployed to Service and Proxy using the Deployment Service
    • Code modules for both client and server side execution
    • Cached locally by Service and on endpoint device
    • Script or C/C++ native DLLs according to the whims of package authors
    • Extracted from DB and deployed to Service using the Deployment Service
    Extension of the farm database to hold the contents of packages and associated rules .Net assembly objects that form abstraction layer over the database tables
    • Package rule configuration
    • Extensions to Logon Agent configuration related to EPA (mutual trust, service location)
    • Delivered as a .NET assembly
    Endpoint Device Access Gateway Advanced Access Control Services Administration Layer (CMI) Data Layer EPA Client Object Package code EPA Proxy Logon Agent Service EPA Activation Page Deployment Service EPA Web service Package code EPA tables EPA Business Objects EPA Admin UI
  • Evaluation Process Endpoint Device Internet DMZ Protected Network (LAN)
    • User opens browser and points to Access Gateway.
    • Access Gateway detects a new session and deploys the endpoint scan client.
    • Scan client is activated. It calls to dispatchers to retrieve scan parameters
    • Dispatchers retrieve scan scripts and parameters via Endpoint Analysis Web Service.
    • Browser downloads necessary endpoint analysis modules if not cached on endpoint. Modules are stored in the database and deployed from EAS and scan operations execute
    • EPA client posts results to Endpoint Analysis Web Service via Access Gateway and EAS executes transformation modules on results. May repeat from step 4 until all needed data is collected
    • Access Gateway posts transformed results to Authentication Service. EAS queries Policy Engine to determine if authentication is allowed
    • If yes, display the authentication page, otherwise provide feedback to instruct on steps for remediation.
    • At authentication, results are stored with session data
    Access Gateway Advanced Access Control
  • Evaluation Process Client Browser post invoked with results Access Gateway begin login sequence Access Control & Policy Engine connect agent activation + initial enquiries requests for package code, or intermediate data package code, or more enquiries post scan output login or access denied page GO/NO-GO transformed final results Logon Agent Service 1 2 3 4 5 execute scan A G E N T 6 7 9 EPA Web Service 8 EPA Proxy
  • Endpoint Analysis Client
    • ActiveX or Plugin client that requires user confirmation to execute
    • Includes Control Applet to manage trusts and cache – code is cached to ApplicationDataCitrixEPA
    • Provides flexible range of security, identity, and device integrity checks on client machines
  • Endpoint Analysis – FYI
    • Endpoint analysis completes before the user session consumes a license – requires user’s permission to initiate scan
    • Code and data sent to client does not reveal success criteria for evaluation
    • The client agent and the endpoint analysis server are stateless
    • Client caches downloaded code by site
    • Command line utilities available for updating parameters and data sets
    • Disallowed error page can be customized
  • Agenda 1 Access Gateway with Advanced Access Control
    • Conclusion
    • Examining the Endpoint Security SDK
      • Endpoint Analysis Overview
      • Endpoint Analysis SDK
      • Developing Custom Scans
    2 Implementing Advanced Access Control
  • Visual Studio .Net Add-in
    • Extends existing Visual Studio concepts
      • New Endpoint Analysis Solution and File Types
      • Wizard driven package development
      • Extend Solution and Project Properties
      • Extend build environment to auto-generate .cab file
    • Package Developer “Fills in the Blanks” to provide new Analysis functionality
    • Contains all projects associated with a package
    • Allows use of Visual Studio tools for localizing packages via Resource Files
  • Visual Studio .Net Add-in Client-side detection code Server-side enquiry code
  • Agenda 1 Access Gateway with Advanced Access Control
    • Conclusion
    • Examining the Endpoint Security SDK
      • Endpoint Analysis Overview
      • Endpoint Analysis SDK
      • Developing Custom Scans
    2 Implementing Advanced Access Control
  • Environment Setup
    • Install Microsoft Visual Studio .Net 2003
    • Download and Install the Endpoint Analysis SDK:
      • http://apps.citrix.com/cdn
    • Add EPA Include path to INCLUDE environment variable or within Visual Studio
      • Located by default: C:Program FilesCitrixEndpointAnalysisSdkInclude
    • Install dependant APIs or Executables if needed
    • Create Advanced Access Control testing environment
  • Step 1 – Create Project Stub
    • Launch Visual Studio and create new project
    • Determine cab file location
    • Cab file is imported as a scan package within Access Suite Console
    • Identify your package
    • Use company domain for URI value
    • Determine development language
    • C++ or VBScript
    • Define first boolean output
    • Additional outputs can be defined later
    • Outputs can be boolean, strings, integers or version but only boolean outputs used in policies
  • Step 2 – Edit Package Properties
    • Select File -> Edit Endpoint Analysis Package Properties
    • Edit Version and other general properties if desired
    • Add more outputs if needed
    • Outputs can be used for logging or as input parameters to other scans
    • Modify Parameter List
    • Parameters can have range of valid values to compare against output
    • Value lists can be updated using command line utilities
    • Define additional prerequisites
    • Prerequisites determine conditions for code execution
    • Define entry point for Dispatcher Code
    • RequestScan entry point defined by default
    • Specify required prerequisites and parameters for the entry point
  • Step 3 – Code and Debug ClientDownload.cpp hosts client detection logic Define exportable function on the client. Server component is instructed what function to call.
  • Step 3 – Code and Debug Dispatcher.cpp contains server-side detection code
    • Entry points added automatically when set in the EPA properties screen – signature includes two parameters:
    • IEPAEnvironment : registers client queries and provides access to datasets IEPAParameterCollection : Contains parameters defined in scan properties
  • Step 4 – Package and Deploy
    • Building the solution creates a cab file for the scan package in the designated directory
    • Cab file contains:
      • An XML manifest that describes the operation of the EPA package
      • Zero or more bitmaps to server as icons within the Access Suite Console
      • One or more code or script files (code modules in script format or Win32 Dlls)
      • One or more resource files (one per language into which the vendor has localized the package)
    • Deploy the cab file in test environment
      • Import the cab file through the Access Suite Console
      • Deploy the cab file from within Visual Studio
  • Questions?
  • Agenda 1 Access Gateway for Advanced Access Control 4 Conclusion 3 Examining the Endpoint Security SDK 2 Advanced Access Control Console
  • Before you leave…
    • Recommended related breakout sessions:
      • 3113: Protecting Intellectual Property with the Citrix Access Suite 4.0
        • Tuesday, October 11@ 9:00am -- 9:50am
      • 2128: Citrix Access Gateway, the Best Way to Secure Citrix Presentation Server
        • Tuesday, October 11@ 3:30 -- 4:20pm
    • Session surveys are available online at www.citrixiforum.com Tuesday, October 11 (please provide feedback)
    • Breakout session handouts are located at the Breakers Registration Desk South
    • Learn how Citrix leads the industry in access products that deliver the best access experience.
      • Where: Mandalay Bay Ballroom I
      • When: Monday 12pm – 3pm; Tuesday 10am -4pm
    • Meet the Architects
      • Monday & Tuesday: 1pm – 3pm
    Citrix Technology Lab
  •