Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Sichere Bereitstellung von virtuellen Desktops mit Citrix Access Gateway
1. Citrix Access Gateway 5.0
Daniel Künzli, Systems Engineer ANG
Citrix Systems GmbH, Switzerland
2. Secure access to Citrix app and desktop virtualization
An integrated delivery infrastructure
Citrix Citrix
Citrix
Branch Access
Receiver XenApp
Repeater Gateway
XenDesktop
XenServer
NetScaler
Delivery
Network
3. What is Citrix Access Gateway?
Citrix Access Gateway™ is the only secure application and desktop
access solution that provides administrators with application-level
control while empowering users with access from anywhere.
Adaptive Best Performance
HDX SmartAccess
Policy Control & Flexible Deployment
4. Seamless access through Citrix Receiver
Broad Platform Support
•Windows
•Mac
•Linux
•iPhone and iPad
•Android
•Blackberry
•Java
Citrix Confidential - Do Not Distribute
5. Adaptive Policy Control
Other SSL VPNs only go this far
Who and What How?
Where? Resources?
Web and
Which What File Networks VPN Clientless
Access Access
User Device Resources
What What XenApp XenDesktop
Authentication Location Mail Applications •Applications •Desktops
Servers
•Virtual •Virtual
Channels Channels
Endpoint Analysis
Access Control Application-level
Authentication
Control
Citrix Confidential - Do Not Distribute
6. Appliance Options
•Multi-function appliance (secure access, load-balancing, acceleration)
•Highest capacity (10,000+ users per appliance)
•Most reliable hardware
NetScaler MPX 7500 or higher •Ideal for business continuity across multiple datacenters
•Designed for secure access
•High capacity (5,000 users per appliance)
•Upgradable to NetScaler for additional functionality
Access Gateway MPX 5500
•Ideal for secure access to XenApp and XenDesktop
•Designed to upgrade Secure Gateway
•Capacity for medium-size deployments (500 users per appliance)
Access Gateway 2010
•Virtual appliance with same functionality as Access Gateway 2010
Access Gateway VPX •Designed to upgrade Secure Gateway
•Capacity for medium-size deployments (500 users per appliance)
•Available for Citrix XenServer or VmWare ESX (NEW!) hypervisors
7. Which Appliance To Choose
NetScaler MPX 7500 or higher • How many users?
• What form factor?
• Physical or Virtual appliance?
Access Gateway MPX 5500 • Will the appliance be dedicated for
remote access?
• Multi-function appliance required?
Access Gateway 2010 • How many sites need to be supported?
• Certificate based authentication?
Access Gateway VPX
• Client certificates?
8. Basic High Availability
Appliance Failover avoids a single point of failure
Single Primary Single
External Internal
IP Address IP Address
Secondary
•Available with all appliance models (New! on Model 2010 and VPX)
•Avoid single points of failure in Access Gateway deployments
(including Access Controller servers)
9. Achieve Business Continuity with
NetScaler & Global Server Load Balancing
•Enable multiple site deployments transparently to users
•Route users to the nearest and most available datacenter
10. Best SSL VPN to use within Citrix environments
Secure Gateway Upgrade
• Seamless support for Citrix Receiver and Dazzle
• Adaptive Policy Control
• Single point of secure access for all Citrix solutions
• Cost-effective (No user licenses required)
Flexible deployment options
• Hardened physical appliance
• Virtual appliance
• Business continuity options available
Use Access Gateway with XenDesktop and XenApp
11. Access Gateway 5.0 – Release Overview
Replacement for Access Gateway
Standard and Advanced
• For SMB and midsize organizations
• Runs on the Model 2010 and AG VPX only
All new appliance firmware with
simplified administration
Architecture refresh will increase
feature velocity
Delivers new features for existing AG-
S/A customers
• Subscription Advantage Eligibility date: Sep 1, 2010
12. New! Access Gateway VPX for VMWare ESX
Access Gateway VPX
• Same features as the Model 2010 physical appliance
Citrix Access Gateway VPX
• Supported on Citrix XenServer and VMWare ESX
Supports up to 500 concurrent users
List price $995
• Same as XenServer version
• Includes 1 yr Subscription Advantage
Free 5-user VPX Express Edition
• www.citrix.com/tryaccessgateway
13. Choose a virtual appliance when…
Limited rack space or infrastructure is available
Agility and rapid recovery is important
Citrix Access Gateway VPX
• Virtual appliances enable fast deployment and provisioning
• Downtime is minimized through hardware independence
Cost-cutting is a requirement
• Energy consumption reduced through consolidation
• Standardizing hardware creates a pricing advantage with server vendors
A low-cost training & testing environment is needed
Citrix Confidential - Do Not Distribute
14. Licence Types
• Platform license
• Comes with AG appliance (upgrade / fullfillment)
• Required for the Gateway to function
• Allows XA / XD connections – basic logonpoints (SG replacement)
• Universal license
• CCU license – Smart Access logon points
• Full VPN Tunnel & clientless access to websites and fileshares
• Endpoint analysis & policy – based – SmartAccess
• Express license
• VPX appliance only
• 1 platform – 5 users – 1 year
Citrix Confidential - Do Not Distribute
16. How Can I Deploy Access Gateway VPX?
VPX supports the same deployment modes as the
Model 2010 appliance, including:
• Single-DMZ deployment with SSL VPN access
• Single-DMZ deployment with Citrix Web Interface “behind” Access Gateway VPX
• Single-DMZ deployment with Citrix Web Interface “parallel” to Access Gateway VPX
• “Advanced Access Control Mode” where policies are deferred to an Citrix AAC server
(Access Gateway, Advanced Edition)
• Multiple Access Gateway instances configured in a failover cluster
17. Web Interface Parallel to Access Gateway
XenApp
Access Gateway
XenApp Online Plugin
Web Interface
18. Web Interface Behind Access Gateway
XenApp
Access Gateway
XenApp Online Plugin
Web Interface
19. Full VPN Access
XenApp
Access Gateway
Web
Interface
Microsoft
SharePoint
Access Gateway Plugin
File shares
Other
20. Access Gateway with Citrix Receiver
XenApp
Access Gateway
Web
Interface
Citrix Receiver Merchandising
Citrix Dazzle Server
21. Advanced Access Control
XenApp
Access Gateway
Web
Interface
XenApp Online Plugin Advanced
- OR - Access Control
Access Gateway Plugin
22. NIC Bonding
• Join multiple physical network
interfaces (PIFs) in XenServer
• Bonded NICs appear as a single
virtual interface (VIFs) to a
virtual machine
• NIC Bonding increases fault tolerance
• PIFs work in Active/Active mode
23. High Availability
• Group multiple XenServer host machines
into a “server pool”
• During a XenServer host failure,
Access Gateway VPX is initialized on
another XenServer in the pool
• Active user sessions need to be re-established
24. XenMotion
• Transfer a running instance of Access Gateway VPX from
one physical XenServer host to another XenServer host
without terminating existing user sessions.
25. Add a Failover Gateway
• Add VPX as a failover server for an existing deployment
• If the appliance is ever unavailable, clients use the VPX
Internal
Resources
Primary Appliance
Model 2010
External Virtual Internal Virtual
IP Address IP Address
Secondary Appliance
Access Gateway VPX
26. Installing Access Gateway VPX
1. Install Citrix XenServer and
XenCenter
2. Obtain virtual image file cag.xva
(295.5 MB)
3. Using XenCenter, import the
virtual machine.
• Import type: Exported VM
4. Browse to select the cag.xva file
5. Virtual machine import takes a
few minutes to complete
6. Virtual image starts up with
default IP address 10.20.30.40
27. Initial Configuration – Within XenCenter
1. In XenCenter, select the
Access Gateway virtual
machine and click the
Console tab
2. Log on
Username: admin
Password: admin
3. Use the text-based menu to
set IP address & default
gateway
28. Console Menu
Access Gateway, 5.0.0.144025, 2010-08-30
-----------------------------------
Main Menu
-----------------------------------
[0] Express Setup Use Express Setup to set IP address, subnet mask & default gateway
[1] System
[2] Troubleshooting
[3] Help
[4] Log Out
------------
Choice:
29. Initial Configuration – Using Browser-based Admin Tool
• After changing the AG VPX IP address, point a browser to
https://<IPAddress>/lp/adminlogonpoint
• Log on as admin / admin
31. Appliance Setup
1. Create authentication profile(s) – LDAP, RADIUS, RSA
2. Set the host name
3. Request and install an SSL certificate
4. Install the free Access Gateway Platform License
5. Add Secure Ticket Authorities and ICA ACLs
6. Create a Basic Logon Point for use with Web Interface
Detailed steps available at edocs.citrix.com
32. Configuring the Logon Point
Select “Basic”
Enter WI URL
Select Auth Profile
Enable Single Sign-on
Click Save
44. Discontinued Features
• Standard Edition
• DMZ with double hop
• dynamic Routing with Routing Information-Protokoll (RIP)
• Windows NT LAN Manager (NTLM) as authentificationmethod
• Local defined Access Gateway users
• Advanced Edition
• Live Edit
• HTML preview
• Web E-Mail
Citrix Confidential - Do Not Distribute