190 likes | 214 Vues
Citrix MetaFrame Secure Access Manager 2.2. Codename – “Tampa” Release Date – March 17, 2004. Citrix MetaFrame Secure Access Manager 2.2 - Release Themes. Messaging synchronization for Outlook
E N D
Citrix MetaFrame Secure Access Manager 2.2 Codename – “Tampa” Release Date – March 17, 2004
Citrix MetaFrame Secure Access Manager 2.2 - Release Themes • Messaging synchronization for Outlook • Users can securely access in real time Microsoft Outlook email, calendar, contacts and tasks, and synchronize information to their local devices. • Workers have access to critical information locally and can work from anywhere – even on a plane or in a car. • Securing Alternative User Interfaces • Administrators can integrate existing portal implementations into their access infrastructure and securely deliver access to portals anywhere. • Organizations leverage past IT investments while meeting the need to become an On Demand enterprise.
New Features – Messaging Synchronization for Outlook • Secure email synchronization using secure gateway • Support for Outlook 2000, XP, and 2003 clients • Leverages new Advanced Gateway Client
New Features – Alternate User Interfaces • Allows direct access Web based infrastructures immediately after authentication. • Allows customers to leverage existing infrastructure • Secures Enterprise Information Portals (EIPs) • Enables greater flexibility in customized MetaFrame Secure Access Manager deployments
Architectural Changes • Updated Services • Secure Ticketing Authority • Logon Agent • New Client • Advanced Gateway Client • No changes to: • Access center • No new or updated CDAs • Core services (State, Agent, Web) • Secure Gateway
Updated Secure Ticketing Authority • Generates two types of tickets: • ICA Ticket • Supports launching of ICA connections through Secure Gateway • Sent as part of ICA files to client • Same ticket type produced by earlier STA versions • Advanced Gateway Client Ticket • Used to invoke the Advanced Gateway Client on user’s desktop • Includes list of configured alternate sites and exchange servers • Administrator configures the following: • Secure Ticket Authority ID • ICA and Advanced Gateway Client ticket settings • List of alternate site servers and exchange servers
Updated Logon Agent • Controls access to email synchronization and alternate sites • Enables or disables use of the Advanced Gateway Client • Determines which users/groups can access alternate sites and exchange servers • Sets Logon Agent redirection URL (alternate website or MSAM access center) • Sets Advanced Gateway Client download URL • Can be integrated with a MetaFrame Presentation Server XML Service • Allows access to the alternate website and email synchronization features be set for a specific domain group • If integration with the XML Service is not performed, access to the alternate website and email synchronization features can only be set for ALL authenticated users or NO users
GatewayClient Advanced Gateway Client Advanced Gateway Client • Intercepts traffic at the application layer • Restricts request interception to a list of known servers Application Presentation Session Transport • Intercepts traffic at the IP level • Uses the standard Windows Service Provider Interface • Restricts request interception to a known list of applications and servers Network Data Link Physical
Advanced Gateway Client • Required for use of Outlook Synchronization and Alternate User Interfaces • Restricts traffic to a configured list of internal servers at the network layer • Inspects the intended destination • If appropriate, redirects the traffic to the Gateway Service and into the internal network • Like a traditional IPSec client, but… • Restricts access by application executable and destination • Does not require client-side configuration
Protocol Support • AGC officially supports: • ICA • HTTP/HTTPS • WebDAV • RDP • MAPI • AGC can work with other protocols • No additional protocols were tested • No additional protocols are supported • Recommend Citrix Consulting for other protocol support
Index Server Agent Server Indexing Engine Content Delivery Server Search Engine Content Delivery Agents (CDAs) State Server GatewayClient State Service database Existing MSAM Architecture Access Center Secure Gateway Firewall Firewall Web Server logon agent Authorization & Authentication Authentication Service HTTP Secure Ticketing Authority SSL ICA Optional 2 Factor Authentication ICA Client • Secure Gateway: Secure reverse proxy secures interaction with internal resources • Web Server: Serves HTML, authenticates users and issues session tickets • State Server: maintains session state and Access Center configuration • Index Server: allows indexing and searching of internal Web and file servers • Agent Server: hosts CDAs and aggregates page content based on user role • Other internal resources: • - Web Servers • - File Servers (docs) Enumeration Access Presentation Server Farm
Agent Server Index Server Content Delivery Server Indexing Engine Search Engine Content Delivery Agents (CDAs) Advanced Gateway Client State Server GatewayClient State Service database Advanced Gateway Client Overview Access Center Secure Gateway Firewall Firewall Web Server logon agent Authorization & Authentication Authentication Service HTTP SSL Secure Ticketing Authority ICA Optional 2 Factor Authentication ICA Client • Advanced Gateway Client Setup: • Install client on users machine (can be delivered via MetaFrame Secure Access Manager at logon) • Specify which users are allowed to use the Advanced Gateway client • Specify which servers can be accessed using the Advanced client: • Exchange servers via Port 135 (RPC) • Alternative Home Page servers • Other internal resources: • - Web Servers • - File Servers (docs) - Web Servers (Java/WebDAV) - Exchange Servers - Alternative UI Servers Enumeration Access Presentation Server Farm
Index Server Agent Server Indexing Engine Content Delivery Server Search Engine Content Delivery Agents (CDAs) Advanced Gateway Client State Server GatewayClient State Service database Securing Alternative User Interfaces Access Center Secure Gateway Firewall Firewall Web Server logon agent Authorization & Authentication Authentication Service HTTP Secure Ticketing Authority ICA Optional 2 Factor Authentication ICA Client • Other internal resources: • - Web Servers (Java/WebDAV) • - File Servers (docs) • - Exchange Servers • - Alternative UI Servers • Alternate User Interface setup: • Add Alternate UI server name(s) to the Secure Access Manager server ACL (access control list) • Specify the Alternate UI URL at Secure Gateway as the default Home Page URL Enumeration Access - Alternative UI Servers Presentation Server Farm
Installation Notes • Secure Access Manager 2.2 is an upgrade • For new customers they will need to: • Install MetaFrame Secure Access Manager 2.0 • Upgrade to MetaFrame Secure Access Manager 2.1 • Upgrade Logon Agent and STA to 2.2 • To install the Advanced Gateway Client: • Must be logged on to the desired as an administrator. • The workstation can not be running a server operating system like NT, Windows 2000 or Windows 2003 server. • The Citrix Extranet client can not be installed on the target workstation.
Other Notes • If redirection to an alternate website is performed… • The user may need to log into the alternate website • The second logon can be facilitated with Password Manager • Two Advanced Gateway Client installation packages • MSI package (Windows XP Professional, 2000 Professional) • EXE package (Windows 98) • Both the Advanced Gateway Client and Gateway Client might be utilized in certain circumstances • Gateway client can be disabled by altering Logon Agent
Possible Issues • Cannot access exchange server (lose connection) • Port 135 is used for discovery only • MAPI port may change on restart of Exchange server. • Recommend setting a static port for Exchange (MAPI) • Cannot configure mail account in Control Panel • Control Panel uses rundll32.exe (not supported) • Use Tools -> Options in Outlook to configure • Advanced Gateway Client does not close • Session does not end when application is closed • Session will end on timeout or manual exit
Competitors • SSL VPNs • NetScreen (formerly Neoteris) • Aventail • Netilla/Tarantella • Whale • Portals • Sharepoint • Websphere
On the Horizon… • Next Release • Codename: “Malibu” • Release Timeframe: “Turnberry” Suite Release - 1H ‘05 • Release Focus • Improved Suite integration • Extended Access Center functionality: • Extended browser support • Improved Shared Docs and Links CDAs • Remote access policies based on: • User being internal or external to corporate LAN