CITRIX ACCESS GATEWAY 4 | Citrix Access Suite 4 for Windows Server 2003: The Official Guide, Third Edition

Although Citrix has long provided secure remote access via the Internet, enterprise organizations often struggled with providing Internet access to environments because of security concerns. Although both Citrix's ICA and Microsoft's RDP support 128-bit encryption, both protocols also require that firewall ports be opened, at both the client and data-center sides of the Internet. This firewall change creates both logistical and security challenges for companies, especially in instances where the far-side firewall may not be influenced. One example of this is when a company's employees are housed on another company's campuses (either temporarily or for the duration of a longer project) and cannot alter the firewall rules at their location.

The Citrix Access Suite facilitates this objective with two options:

– Citrix Access Gateway (hardware appliance-based)
– Secure Gateway component of Citrix Presentation Server (software-based)

Both solutions convert ICA traffic from port 1494 to port 443 (SSL) in the data-center DMZ. Since SSL is a widely supported standard and utilized for many other Web purposes, it provides a very standard and accepted transmission method for traffic traversing firewalls and the Internet.

The Access GatewaySSL VPN Appliance

The Citrix Access Gateway is a 1U security appliance that is a hybrid SSL-IPsec VPN device. In addition to providing general VPN services, this device is also integrated with Citrix Presentation Server to allow Citrix customers to run both applications that are deployed via Presentation Server and applications that are provided through client/server and N- tier deployments via VPN.

Citrix Access Suite includes all user connectivity licenses required for the Access Gateway, but the Access Gateway appliance unit(s) must be purchased separately. The Access Gateway unit has a list price of $2,995 at the time of this writing and can be purchased by itself or in a high-availability pair bundle.

The most talked about feature of the Access Gateway is its simplicity. The small-footprint user client is much simpler than standard IPsec clients , it does not require manual client updates, and the device itself is based on a simple Linux kernel.

In addition to being simple, the Citrix Access Gateway Advanced Edition supports advanced access controls. With this edition, the native policies in Presentation Server can be extended by integrating with the Citrix Access Gateway. This integration allows the administrator to extend the policies to include information about the connection path and information gathered at the endpoint through an extensible Endpoint Analysis client.

It is important to note that the Access Gateway does not include Web Interface capabilities. So in most cases, Presentation Server customers will want to utilize a Web Interface Server to provide Web-based access to Presentation Server users.

Secure Gateway of Citrix Presentation Server

For organizations that wish to use a Windows-based solution to provide both a web Interface presentation of Citrix Applications and an SSL gateway, Citrix Presentation Server's Web Interface and Secure Gateway components are the answer. Web Interface and Secure Gateway are included with all versions of Citrix Presentation. Starting with Presentation Server 3.0, Secure Gateway and Web Interface are supported on one server, making it inexpensive and simple to deploy. Secure Gateway converts ICA traffic from port 1494 to port 443 (SSL) in the data-center DMZ. Secure Gateway requires several additional server hardware components . See Figure 3-4 for a diagram of a Secure Gateway implementation.

Figure 3-4: Presentation Server Secure Gateway example deployment

Citrix Web Interface

Citrix Web Interface, whether used in conjunction with the Citrix Access Gateway or with Secure Gateway, enables users to integrate applications and data that are published into customized Web portals for the end user, who then can access applications via a Web browser.

In addition to publishing applications to the familiar Web browser interface, another popular use of Web Interface for Presentation Server is to deploy the ICA client itself. Web Interface provides for automatic download and updates of the ICA client, largely transparent to the user, upon user logon. This provides a very fast and clean deployment and update mechanism for first-time Citrix users and remote users.

Using Web Interface, the presentation layer elements of multiple applications can be combined on a single page for exposure to the end user as a single, unified application. A simple wizard is provided to aid the administrator in defining the portal contents, which may include applications hosted on Presentation Server and Presentation Server for UNIX servers. Support for Presentation Server for UNIX enables the Web Interface for Presentation Server portal to be used to integrate both Windows-and UNIX-based applications and data.

Web Interface for Presentation Server portals can be customized to meet the needs of individual users, who access their applications in accordance with a user or group account logon, or general-purpose portals that can be fielded for access by anonymous users. Either way, the portals, like other Presentation Server applications, are managed via the same set of Presentation Server utilities used to manage and control other applications published through Citrix Presentation Server.