3. Что такое Citrix Access Gateway? Citrix Access Gateway™ единое решение для безопасного доступа к приложениям и виртуальным рабочим столам, дающее администраторам контроль на уровне приложений, предоставляющее доступ из любой точки мира SmartAccess Лучшая производительность и маштабируемость Простота использования и развертывания
4.
5.
6.
7.
8. Развертывание Access Gateway Access Gateway упрощает работу с брандмауэром и обеспечивает безопасность между интернет-шлюзом, серверами и пользовательскими устройствами. Сценарии, в которых брандмауэры обычно используются включают в себя: Развертывание AG в DMZ Развертывание AG в защищенной сети
9.
10.
11.
12.
13.
14.
15.
16. Citrix Access Gateway Лучшее решение для безопасного доступа к приложениям из любого места, предоставляющее администраторам полный контроль доступа
The core problem solved by Access Gateway is providing secure anywhere access to applications and data. This need is being driven by many business pressures, such as globalization – IT organizations must support many different types of users, such as remote workers, tele-workers, day extenders, business partners, contractors etc. All of these users need access to their applications and data, while IT needs to easily enforce comprehensive security policies that dictate who has access to which applications and data under what circumstances. Data leak incidents cost on average $6.6 Million per incident: http://www.washingtonpost.com/wp-dyn/content/article/2009/02/02/AR2009020203064.html
Citrix Access Gateway is an SSL VPN designed specifically to securely deliver Applications and Virtual Desktops. Regardless of the type of application and how it is implemented within the datacenter, Access Gateway provides a secure single point of access that makes it easy for users to gain access to applications and data and easy for administrators to deploy the necessary security to protect sensitive data. Granular application-level policies can be set using SmartAccess technology and Access Gateway provides the highest levels of performance and scalability in the industry – our enterprise-class appliances can support up to 10,000 concurrent users per appliance.
Запатентованная технология SmartAccess Access Gateway позволяет администраторам управлять контролем доступа и устанавливать правила, которые определяют приемлемые действия, основанные на идентификации пользователей и конфигурации конечной точки устройства. Например, пользователь может иметь полный доступ (чтение, локально сохранить, печать и т.д.), набор файлов при использовании офисного компьютера - но может быть ограничен доступ только для чтения в менее безопасных сценариях удаленного доступа, таких как подключение через неопределяеммое устройство. Аналогичным образом, если работник пытается войти в корпоративную сеть через домашний компьютер, который не имеет активного обновления антивирусной службы, что работник не может быть в состоянии получить доступ к некоторым критически важных систем. С SmartAccess, администраторы имеют максимальную гибкость в разработке и реализации корпоративной политики, которые обеспечивают выполнение данных и приложений безопасности.
Access Gateway is the best SSL VPN to use with XenApp. By replacing the secure gateway, administrators can achieve the following: Improve security by placing hardened appliances, not Windows Servers, in the DMZ to protect the datacenter Provide a single logon experience to XenApp Web Interface – users only need to type in passwords once Empower authorized users with a single point of access to all types of applications and protocols – not just XenApp published Windows applications. This includes file shares, internal web applications, e-mail, VoIP and more Choose the right solution to meet your business needs. A wide variety of appliances provide scalability up to 10,000 concurrent users per appliance, and the enterprise-class appliances may be optionally purchased with high availability configurations and/or cross-site business continuity (e.g. If one datacenter experiences downtime users can be automatically re-routed to a different datacenter). More details about business continuity options appear in another 2 slides. Control both access and actions allowed for a given user based on multiple access scenarios. This ‘SmartAccess’ capability would, for example, allow you to specify ‘full access’ to a user’s applications (read, download files, upload files, print, etc.) if they use their corporate-managed PC; and ‘limited access’ to the same applications (cannot download files, upload files or print) if that same user logs in with their home PC.
Two Access Gateway appliances can be configured as a failover pair. The appliances operate in active/passive mode, with the primary appliance servicing all user connections and the secondary appliance monitoring the primary and synchronizing session information. If the primary appliance fails, the secondary appliance takes over.
Вы можете настроить Access Gateway использовать сервера аутентификации LDAP, RADIUS или RSA SecurID. Вы настроить проверку подлинности на Access Gateway использованием аутентификации профилей. Можно настроить несколько профилей для размещения сайтов с более чем одним LDAP или RADIUS сервер или с сочетанием серверов аутентификации. На следующем рисунке показано Access Gateway подключения и общения с серверов аутентификации в защищенной сети.
Smart Card Authentication with Single Sign-On to Web Interface Smart Card Authentication with LDAP Authorization Support for Online Certificate Status Protocol (OCSP)
Authentication/Authorization Enhancements Support recursive enumeration of nested LDAP groups Integrate with Imprivata to provide token-only logins, whereby the user authenticates using RADIUS with a one-time password, and the RADIUS server returns the users. Windows password in its response to Access Gateway. Allow user to change their Active Directory domain password at any time using the Access Interface (portal pages). Allow the administrator to define groups for which logon should be allowed. Forms Based SSO - Support single sign-on to web applications that expect the username and password to be provided in an HTML form.
The Distributed File System (DFS) technologies in Windows Server 2003 R2 offer wide area network (WAN)-friendly replication as well as simplified, fault-tolerant access to geographically dispersed files. The two technologies in DFS are as follows: DFS Replication. New state-based, multimaster replication engine that is optimized for WAN environments. DFS Replication supports replication scheduling, bandwidth throttling, and a new byte-level compression algorithm known as remote differential compression (RDC). DFS Namespaces. Technology that helps administrators group shared folders located on different servers and present them to users as a virtual tree of folders known as a namespace. DFS Namespaces was formerly known as Distributed File System in Windows 2000 Server and Windows Server 2003. If you are using Windows Server 2003 R2 and want to keep folders synchronized, we recommend using DFS Replication instead of FRS. DFS Replication system in Windows Server 2003 R2 has many benefits over File Replication Service (FRS), including improved management tools, higher performance, and delegated management.