MetaFrame Secure Gateway Deployment

MetaFrame Secure Gateway functions as a secure Internet-ready gateway for Citrix Independent Computing Architecture (ICA) traffic between MetaFrame servers and Secure Sockets Layer (SSL)-enabled ICA Client workstations. All data traversing the Internet between the client workstation and the Secure Gateway server is encrypted, ensuring privacy and integrity of information flow. Secure Gateway provides a single point of entry and secures access to Citrix server farms. SSL technology is used for encryption, allowing secure transfer of data across public networks. Secure Gateway is also designed to make firewall traversal with MetaFrame solutions easier. It is completely transparent to both application programs and network devices, eliminating the need for any program modifications, firewall changes, or equipment upgrades.

Benefits of a Secure Gateway Deployment

As discussed in Chapters 3 and 12, MetaFrame Secure Gateway is one of the most significant new features developed by Citrix in the past three years. Although Citrix has long provided access via the Internet, prior to Secure Gateway, organizations often struggled with providing Internet access to SBC environments due to security concerns. Although both Citrix's ICA and Microsoft's RDP protocols support 128-bit encryption, both protocols also require that firewall ports be opened at both the client and data center sides of the Internet. MetaFrame Secure Gateway solves these security issues and provides the following benefits:

• Strong encryption (SSL 128-bit and TLS 140-bit)

• Authentication (achieved through Web Interface)

• Hidden internal network addresses for Citrix servers

• Firewall traversal through a widely accepted port (TCP port 443)

• Simplified server certificate management (certificates are required only on the Secure Gateway server)

• Simple support for a large number of servers

• No requirement for separate client software (only a Secure Gateway-enabled ICA Client is required)

This firewall change creates both logistical and security challenges for companies, especially in instances where the client-side firewall may not be modified. An example of this is when one company's employees are housed on another company's campus.

Secure Gateway solves this problem by encapsulating ICA traffic (TCP port 1494) into SSL (TCP port 443). Since SSL is a widely supported standard and utilized for many other web purposes, it provides a readily accepted transmission method for traffic traversing firewalls and the Internet.

A typical Secure Gateway deployment involves interaction of the following five Citrix components (also shown in Figure 16-2):

• A client device with an ICA Client, Version 6.30 or later, installed

• The MetaFrame Web Interface server

• The MetaFrame STA

• The MetaFrame Secure Gateway server

• The Citrix MetaFrame server(s)

Figure 16-2: Citrix components required for Secure Gateway Deployment

End-User Interactions When Connecting to the Secure Gateway Deployment

The following section details the interactions between the client devices and the back-end secure access center infrastructure.

The user interactions are as follows:

1. A user accesses the Web Interface URL with the web browser over port 80 (just like any other web site).

2. The IIS-based web service where Web Interface resides has a default page to redirect the user automatically to an HTTPS/SSL URL that then passes through the Secure Gateway service on the same server to secure the traffic over port 443.

3. The user is now interacting securely with the Web Interface/Secure Gateway environment and is presented with the login page.

4. The user enters their credentials and submits the authentication request, which is passed encrypted over SSL to the Secure Gateway service (thus preventing the user credentials from being passed in plain text).

5. Once the Secure Gateway service obtains the user credentials, it opens a state ticket with the STA server and then passes the credentials to the MetaFrame farm over the defined XML service port (the default is port 80 but CME will use port 8081 for security purposes).

6. The user credentials are checked via the Citrix XML service and verified by Microsoft Active Directory (or other directory services such as Novell e-Dir).

7. Based on a successful authentication, the XML service communicates back to the Web Interface service and dynamically renders an access page for the user with their application set or indicates if there are any problems, displaying them in the MetaFrame XP Message Center.

8. When a user clicks an ICA published application, the Web Interface service sends the IP address and port for the requested MetaFrame server to the STA and requests a session ticket for the user. The user-installed ICA Client then securely establishes an ICA connection over SSL/443.

9. The Secure Gateway service receives the session ticket over 443 from the client and contacts the STA for ticket validation. If the ticket is valid, the STA returns the IP address of the MetaFrame server on which the requested application resides. If the session ticket is invalid or has expired, the STA informs the Secure Gateway service and an error message appears on the client device.

10. On receipt of the IP address for the MetaFrame server, the Secure Gateway server establishes an ICA connection to the MetaFrame server over 1494 in a proxy-like manner. When the ICA connection is established, the Secure Gateway server encrypts and decrypts data flowing through the connection.