Sichere Bereitstellung von virtuellen Desktops mit Citrix Access Gateway


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sichere Bereitstellung von virtuellen Desktops mit Citrix Access Gateway

  1. 1. Citrix Access Gateway 5.0Daniel Künzli, Systems Engineer ANGCitrix Systems GmbH, Switzerland
  2. 2. Secure access to Citrix app and desktop virtualizationAn integrated delivery infrastructure Citrix Citrix Citrix Branch Access Receiver XenApp Repeater Gateway XenDesktop XenServer NetScaler Delivery Network
  3. 3. What is Citrix Access Gateway? Citrix Access Gateway™ is the only secure application and desktop access solution that provides administrators with application-level control while empowering users with access from anywhere. Adaptive Best Performance HDX SmartAccess Policy Control & Flexible Deployment
  4. 4. Seamless access through Citrix ReceiverBroad Platform Support •Windows •Mac •Linux •iPhone and iPad •Android •Blackberry •Java Citrix Confidential - Do Not Distribute
  5. 5. Adaptive Policy Control Other SSL VPNs only go this far Who and What How? Where? Resources? Web and Which What File Networks VPN Clientless Access Access User Device Resources What What XenApp XenDesktop Authentication Location Mail Applications •Applications •Desktops Servers •Virtual •Virtual Channels Channels Endpoint Analysis Access Control Application-level Authentication Control Citrix Confidential - Do Not Distribute
  6. 6. Appliance Options •Multi-function appliance (secure access, load-balancing, acceleration) •Highest capacity (10,000+ users per appliance) •Most reliable hardware NetScaler MPX 7500 or higher •Ideal for business continuity across multiple datacenters •Designed for secure access •High capacity (5,000 users per appliance) •Upgradable to NetScaler for additional functionality Access Gateway MPX 5500 •Ideal for secure access to XenApp and XenDesktop •Designed to upgrade Secure Gateway •Capacity for medium-size deployments (500 users per appliance) Access Gateway 2010 •Virtual appliance with same functionality as Access Gateway 2010 Access Gateway VPX •Designed to upgrade Secure Gateway •Capacity for medium-size deployments (500 users per appliance) •Available for Citrix XenServer or VmWare ESX (NEW!) hypervisors
  7. 7. Which Appliance To Choose NetScaler MPX 7500 or higher • How many users? • What form factor? • Physical or Virtual appliance? Access Gateway MPX 5500 • Will the appliance be dedicated for remote access? • Multi-function appliance required? Access Gateway 2010 • How many sites need to be supported? • Certificate based authentication? Access Gateway VPX • Client certificates?
  8. 8. Basic High AvailabilityAppliance Failover avoids a single point of failure Single Primary Single External Internal IP Address IP Address Secondary •Available with all appliance models (New! on Model 2010 and VPX) •Avoid single points of failure in Access Gateway deployments (including Access Controller servers)
  9. 9. Achieve Business Continuity withNetScaler & Global Server Load Balancing •Enable multiple site deployments transparently to users •Route users to the nearest and most available datacenter
  10. 10. Best SSL VPN to use within Citrix environments Secure Gateway Upgrade • Seamless support for Citrix Receiver and Dazzle • Adaptive Policy Control • Single point of secure access for all Citrix solutions • Cost-effective (No user licenses required) Flexible deployment options • Hardened physical appliance • Virtual appliance • Business continuity options available Use Access Gateway with XenDesktop and XenApp
  11. 11. Access Gateway 5.0 – Release Overview Replacement for Access Gateway Standard and Advanced • For SMB and midsize organizations • Runs on the Model 2010 and AG VPX only All new appliance firmware with simplified administration Architecture refresh will increase feature velocity Delivers new features for existing AG- S/A customers • Subscription Advantage Eligibility date: Sep 1, 2010
  12. 12. New! Access Gateway VPX for VMWare ESX Access Gateway VPX • Same features as the Model 2010 physical applianceCitrix Access Gateway VPX • Supported on Citrix XenServer and VMWare ESX Supports up to 500 concurrent users List price $995 • Same as XenServer version • Includes 1 yr Subscription Advantage Free 5-user VPX Express Edition •
  13. 13. Choose a virtual appliance when… Limited rack space or infrastructure is available Agility and rapid recovery is importantCitrix Access Gateway VPX • Virtual appliances enable fast deployment and provisioning • Downtime is minimized through hardware independence Cost-cutting is a requirement • Energy consumption reduced through consolidation • Standardizing hardware creates a pricing advantage with server vendors A low-cost training & testing environment is needed Citrix Confidential - Do Not Distribute
  14. 14. Licence Types• Platform license • Comes with AG appliance (upgrade / fullfillment) • Required for the Gateway to function • Allows XA / XD connections – basic logonpoints (SG replacement)• Universal license • CCU license – Smart Access logon points • Full VPN Tunnel & clientless access to websites and fileshares • Endpoint analysis & policy – based – SmartAccess• Express license • VPX appliance only • 1 platform – 5 users – 1 year Citrix Confidential - Do Not Distribute
  15. 15. How do I deployAccess Gateway VPX?
  16. 16. How Can I Deploy Access Gateway VPX?VPX supports the same deployment modes as theModel 2010 appliance, including:• Single-DMZ deployment with SSL VPN access• Single-DMZ deployment with Citrix Web Interface “behind” Access Gateway VPX• Single-DMZ deployment with Citrix Web Interface “parallel” to Access Gateway VPX• “Advanced Access Control Mode” where policies are deferred to an Citrix AAC server (Access Gateway, Advanced Edition)• Multiple Access Gateway instances configured in a failover cluster
  17. 17. Web Interface Parallel to Access Gateway XenApp Access GatewayXenApp Online Plugin Web Interface
  18. 18. Web Interface Behind Access Gateway XenApp Access GatewayXenApp Online Plugin Web Interface
  19. 19. Full VPN Access XenApp Access Gateway Web Interface Microsoft SharePointAccess Gateway Plugin File shares Other
  20. 20. Access Gateway with Citrix Receiver XenApp Access Gateway Web Interface Citrix Receiver Merchandising Citrix Dazzle Server
  21. 21. Advanced Access Control XenApp Access Gateway Web Interface XenApp Online Plugin Advanced - OR - Access ControlAccess Gateway Plugin
  22. 22. NIC Bonding• Join multiple physical network interfaces (PIFs) in XenServer• Bonded NICs appear as a single virtual interface (VIFs) to a virtual machine• NIC Bonding increases fault tolerance• PIFs work in Active/Active mode
  23. 23. High Availability• Group multiple XenServer host machines into a “server pool”• During a XenServer host failure, Access Gateway VPX is initialized on another XenServer in the pool• Active user sessions need to be re-established
  24. 24. XenMotion• Transfer a running instance of Access Gateway VPX from one physical XenServer host to another XenServer host without terminating existing user sessions.
  25. 25. Add a Failover Gateway• Add VPX as a failover server for an existing deployment• If the appliance is ever unavailable, clients use the VPX Internal Resources Primary Appliance Model 2010 External Virtual Internal Virtual IP Address IP Address Secondary Appliance Access Gateway VPX
  26. 26. Installing Access Gateway VPX1. Install Citrix XenServer and XenCenter2. Obtain virtual image file cag.xva (295.5 MB)3. Using XenCenter, import the virtual machine. • Import type: Exported VM4. Browse to select the cag.xva file5. Virtual machine import takes a few minutes to complete6. Virtual image starts up with default IP address
  27. 27. Initial Configuration – Within XenCenter1. In XenCenter, select the Access Gateway virtual machine and click the Console tab2. Log on Username: admin Password: admin3. Use the text-based menu to set IP address & default gateway
  28. 28. Console MenuAccess Gateway,, 2010-08-30-----------------------------------Main Menu-----------------------------------[0] Express Setup  Use Express Setup to set IP address, subnet mask & default gateway[1] System[2] Troubleshooting[3] Help[4] Log Out------------Choice:
  29. 29. Initial Configuration – Using Browser-based Admin Tool• After changing the AG VPX IP address, point a browser to https://<IPAddress>/lp/adminlogonpoint• Log on as admin / admin
  30. 30. Initial Configuration – Using Browser-based Admin Tool
  31. 31. Appliance Setup1. Create authentication profile(s) – LDAP, RADIUS, RSA2. Set the host name3. Request and install an SSL certificate4. Install the free Access Gateway Platform License5. Add Secure Ticket Authorities and ICA ACLs6. Create a Basic Logon Point for use with Web Interface Detailed steps available at
  32. 32. Configuring the Logon PointSelect “Basic”Enter WI URLSelect Auth ProfileEnable Single Sign-on Click Save
  33. 33. Configuring Web Interface
  34. 34. Create a New Web Interface Site…
  35. 35. …with Authentication Performed At Access Gateway
  36. 36. Enter Access Gateway Authentication Service URLWeb Interface must beable to reach this URLand make a trusted SSLconnection
  37. 37. Citrix Confidential - Do Not Distribute
  38. 38. Set Default Access Settings to “Gateway Direct”
  39. 39. Provide Gateway Address for Clients Address (FQDN) must match the gateway’s SSL certificate name
  40. 40. Add Secure Ticket Authority AddressesConfigure the same STAURLs on Access Gateway
  41. 41. End User Access
  42. 42. End User Access
  43. 43. Discontinued Features• Standard Edition • DMZ with double hop • dynamic Routing with Routing Information-Protokoll (RIP) • Windows NT LAN Manager (NTLM) as authentificationmethod • Local defined Access Gateway users• Advanced Edition • Live Edit • HTML preview • Web E-Mail Citrix Confidential - Do Not Distribute