Sichere Bereitstellung von virtuellen Desktops mit Citrix Access Gateway
 

Sichere Bereitstellung von virtuellen Desktops mit Citrix Access Gateway

on

  • 1,142 views

 

Statistics

Views

Total Views
1,142
Views on SlideShare
1,136
Embed Views
6

Actions

Likes
0
Downloads
10
Comments
0

1 Embed 6

http://www.digicomp.ch 6

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Sichere Bereitstellung von virtuellen Desktops mit Citrix Access Gateway Sichere Bereitstellung von virtuellen Desktops mit Citrix Access Gateway Presentation Transcript

  • Citrix Access Gateway 5.0Daniel Künzli, Systems Engineer ANGCitrix Systems GmbH, Switzerland
  • Secure access to Citrix app and desktop virtualizationAn integrated delivery infrastructure Citrix Citrix Citrix Branch Access Receiver XenApp Repeater Gateway XenDesktop XenServer NetScaler Delivery Network
  • What is Citrix Access Gateway? Citrix Access Gateway™ is the only secure application and desktop access solution that provides administrators with application-level control while empowering users with access from anywhere. Adaptive Best Performance HDX SmartAccess Policy Control & Flexible Deployment
  • Seamless access through Citrix ReceiverBroad Platform Support •Windows •Mac •Linux •iPhone and iPad •Android •Blackberry •Java Citrix Confidential - Do Not Distribute
  • Adaptive Policy Control Other SSL VPNs only go this far Who and What How? Where? Resources? Web and Which What File Networks VPN Clientless Access Access User Device Resources What What XenApp XenDesktop Authentication Location Mail Applications •Applications •Desktops Servers •Virtual •Virtual Channels Channels Endpoint Analysis Access Control Application-level Authentication Control Citrix Confidential - Do Not Distribute
  • Appliance Options •Multi-function appliance (secure access, load-balancing, acceleration) •Highest capacity (10,000+ users per appliance) •Most reliable hardware NetScaler MPX 7500 or higher •Ideal for business continuity across multiple datacenters •Designed for secure access •High capacity (5,000 users per appliance) •Upgradable to NetScaler for additional functionality Access Gateway MPX 5500 •Ideal for secure access to XenApp and XenDesktop •Designed to upgrade Secure Gateway •Capacity for medium-size deployments (500 users per appliance) Access Gateway 2010 •Virtual appliance with same functionality as Access Gateway 2010 Access Gateway VPX •Designed to upgrade Secure Gateway •Capacity for medium-size deployments (500 users per appliance) •Available for Citrix XenServer or VmWare ESX (NEW!) hypervisors
  • Which Appliance To Choose NetScaler MPX 7500 or higher • How many users? • What form factor? • Physical or Virtual appliance? Access Gateway MPX 5500 • Will the appliance be dedicated for remote access? • Multi-function appliance required? Access Gateway 2010 • How many sites need to be supported? • Certificate based authentication? Access Gateway VPX • Client certificates?
  • Basic High AvailabilityAppliance Failover avoids a single point of failure Single Primary Single External Internal IP Address IP Address Secondary •Available with all appliance models (New! on Model 2010 and VPX) •Avoid single points of failure in Access Gateway deployments (including Access Controller servers)
  • Achieve Business Continuity withNetScaler & Global Server Load Balancing •Enable multiple site deployments transparently to users •Route users to the nearest and most available datacenter
  • Best SSL VPN to use within Citrix environments Secure Gateway Upgrade • Seamless support for Citrix Receiver and Dazzle • Adaptive Policy Control • Single point of secure access for all Citrix solutions • Cost-effective (No user licenses required) Flexible deployment options • Hardened physical appliance • Virtual appliance • Business continuity options available Use Access Gateway with XenDesktop and XenApp
  • Access Gateway 5.0 – Release Overview Replacement for Access Gateway Standard and Advanced • For SMB and midsize organizations • Runs on the Model 2010 and AG VPX only All new appliance firmware with simplified administration Architecture refresh will increase feature velocity Delivers new features for existing AG- S/A customers • Subscription Advantage Eligibility date: Sep 1, 2010
  • New! Access Gateway VPX for VMWare ESX Access Gateway VPX • Same features as the Model 2010 physical applianceCitrix Access Gateway VPX • Supported on Citrix XenServer and VMWare ESX Supports up to 500 concurrent users List price $995 • Same as XenServer version • Includes 1 yr Subscription Advantage Free 5-user VPX Express Edition • www.citrix.com/tryaccessgateway
  • Choose a virtual appliance when… Limited rack space or infrastructure is available Agility and rapid recovery is importantCitrix Access Gateway VPX • Virtual appliances enable fast deployment and provisioning • Downtime is minimized through hardware independence Cost-cutting is a requirement • Energy consumption reduced through consolidation • Standardizing hardware creates a pricing advantage with server vendors A low-cost training & testing environment is needed Citrix Confidential - Do Not Distribute
  • Licence Types• Platform license • Comes with AG appliance (upgrade / fullfillment) • Required for the Gateway to function • Allows XA / XD connections – basic logonpoints (SG replacement)• Universal license • CCU license – Smart Access logon points • Full VPN Tunnel & clientless access to websites and fileshares • Endpoint analysis & policy – based – SmartAccess• Express license • VPX appliance only • 1 platform – 5 users – 1 year Citrix Confidential - Do Not Distribute
  • How do I deployAccess Gateway VPX?
  • How Can I Deploy Access Gateway VPX?VPX supports the same deployment modes as theModel 2010 appliance, including:• Single-DMZ deployment with SSL VPN access• Single-DMZ deployment with Citrix Web Interface “behind” Access Gateway VPX• Single-DMZ deployment with Citrix Web Interface “parallel” to Access Gateway VPX• “Advanced Access Control Mode” where policies are deferred to an Citrix AAC server (Access Gateway, Advanced Edition)• Multiple Access Gateway instances configured in a failover cluster
  • Web Interface Parallel to Access Gateway XenApp Access GatewayXenApp Online Plugin Web Interface
  • Web Interface Behind Access Gateway XenApp Access GatewayXenApp Online Plugin Web Interface
  • Full VPN Access XenApp Access Gateway Web Interface Microsoft SharePointAccess Gateway Plugin File shares Other
  • Access Gateway with Citrix Receiver XenApp Access Gateway Web Interface Citrix Receiver Merchandising Citrix Dazzle Server
  • Advanced Access Control XenApp Access Gateway Web Interface XenApp Online Plugin Advanced - OR - Access ControlAccess Gateway Plugin
  • NIC Bonding• Join multiple physical network interfaces (PIFs) in XenServer• Bonded NICs appear as a single virtual interface (VIFs) to a virtual machine• NIC Bonding increases fault tolerance• PIFs work in Active/Active mode
  • High Availability• Group multiple XenServer host machines into a “server pool”• During a XenServer host failure, Access Gateway VPX is initialized on another XenServer in the pool• Active user sessions need to be re-established
  • XenMotion• Transfer a running instance of Access Gateway VPX from one physical XenServer host to another XenServer host without terminating existing user sessions.
  • Add a Failover Gateway• Add VPX as a failover server for an existing deployment• If the appliance is ever unavailable, clients use the VPX Internal Resources Primary Appliance Model 2010 External Virtual Internal Virtual IP Address IP Address Secondary Appliance Access Gateway VPX
  • Installing Access Gateway VPX1. Install Citrix XenServer and XenCenter2. Obtain virtual image file cag.xva (295.5 MB)3. Using XenCenter, import the virtual machine. • Import type: Exported VM4. Browse to select the cag.xva file5. Virtual machine import takes a few minutes to complete6. Virtual image starts up with default IP address 10.20.30.40
  • Initial Configuration – Within XenCenter1. In XenCenter, select the Access Gateway virtual machine and click the Console tab2. Log on Username: admin Password: admin3. Use the text-based menu to set IP address & default gateway
  • Console MenuAccess Gateway, 5.0.0.144025, 2010-08-30-----------------------------------Main Menu-----------------------------------[0] Express Setup  Use Express Setup to set IP address, subnet mask & default gateway[1] System[2] Troubleshooting[3] Help[4] Log Out------------Choice:
  • Initial Configuration – Using Browser-based Admin Tool• After changing the AG VPX IP address, point a browser to https://<IPAddress>/lp/adminlogonpoint• Log on as admin / admin
  • Initial Configuration – Using Browser-based Admin Tool
  • Appliance Setup1. Create authentication profile(s) – LDAP, RADIUS, RSA2. Set the host name3. Request and install an SSL certificate4. Install the free Access Gateway Platform License5. Add Secure Ticket Authorities and ICA ACLs6. Create a Basic Logon Point for use with Web Interface Detailed steps available at edocs.citrix.com
  • Configuring the Logon PointSelect “Basic”Enter WI URLSelect Auth ProfileEnable Single Sign-on Click Save
  • Configuring Web Interface
  • Create a New Web Interface Site…
  • …with Authentication Performed At Access Gateway
  • Enter Access Gateway Authentication Service URLWeb Interface must beable to reach this URLand make a trusted SSLconnection
  • Citrix Confidential - Do Not Distribute
  • Set Default Access Settings to “Gateway Direct”
  • Provide Gateway Address for Clients Address (FQDN) must match the gateway’s SSL certificate name
  • Add Secure Ticket Authority AddressesConfigure the same STAURLs on Access Gateway
  • End User Access
  • End User Access
  • Discontinued Features• Standard Edition • DMZ with double hop • dynamic Routing with Routing Information-Protokoll (RIP) • Windows NT LAN Manager (NTLM) as authentificationmethod • Local defined Access Gateway users• Advanced Edition • Live Edit • HTML preview • Web E-Mail Citrix Confidential - Do Not Distribute