1 / 23

Client Access – Published applications

Client Access – Published applications. Control through TEMPLATE.ICA Use SSL Authentication level Remove: EncRc5-0 EncRc5-40 EncRc5-56. Remote Access. 80211X, 802.11G, 802.11b, 802.11a 11 Mbps – 55 Mbps Wireless WAN 40-120 Kbit Public network CDPD, 1xRTT, other High Speed access

ofira
Télécharger la présentation

Client Access – Published applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Client Access – Published applications Control through TEMPLATE.ICA • Use SSL • Authentication level • Remove: • EncRc5-0 • EncRc5-40 • EncRc5-56

  2. Remote Access • 80211X, 802.11G, 802.11b, 802.11a • 11 Mbps – 55 Mbps • Wireless WAN • 40-120 Kbit • Public network • CDPD, 1xRTT, other • High Speed access • Cable modem • xDSL (ADSL, IDSL, SDSL)

  3. Web Interface 443 Secure Gateway 443 Wireless LAN or WAN • Secure WLAN or WWAN with Secure Gateway • Internal Firewall • Port filtering at access device • Firewall behind access device (ie. Extended access list) MetaFrame XP Farm 80 WLAN Client 443 WAP STA 80 1494 External Client

  4. Connections

  5. Internal External 1494 (TCP) 1494 (TCP) 443 (TCP) 443 (TCP) 1604 (UDP) 1604 (UDP) Packet filtering (port based) • Prevent data from reaching unintended services • Restrict data flow based on destination ports • Control services that respond to requests • TCP port • UDP port • IP protocol number

  6. Internet Many links to consider…. MetaFrame XP Server Farm Internet Explorer and ICA Client Secure Gateway Proxy Secure Gateway Gateway Client Internal Web Servers MetaFrame Secure Access Manager Authorization Service + STA Logon Agent HTTP(S) 3rd Party Auth ICA/Secure ICA

  7. Web Interface • First things First! • Mandate authentication occurs over SSL • IIS Example: (IISAdmin)

  8. HTTP HTTPS Web Interface / Secure Access Manager

  9. Web Interface / Secure Access Manager • Web server hardening • IIS lockdown tool • Must enable ASP (advanced) • Remove sample directories from web server • Move webroot from default location • CTX102001 • Enforce password policies • Expire passwords • Alphanumeric combinations • Remove IIS Anonymous user account • Create account to replace • Disable Pass-through authentication

  10. Web Interface / Secure Access Manager • Disable unused services • Remove unnecessary components • Apply latest service packs • Free tool: HFNETCHK to review installed Hotfixes • Disable default admin shares (C$, Admin$, etc.) • Unbind NetBIOS from all adapters • Disable NetBIOS over TCP/IP • Use Port Filtering! • 80 or 443 for the STA • 443 for Secure Gateway/Web Interface or Logon Agent • 1494, 80 and/or 443 for MetaFrame XP Presentation servers • Use extended access lists where possible

  11. Secure Gateway

  12. SSL/TLS Support • SSL V3.0 and TLS V1.0 secure protocols supported • SSL-Secured connections may now include: • Client browser to Web Interface server • Web Interface to MetaFrame XML Service • Web Interface to Secure Ticket Authority • Secure Gateway to Secure Gateway Proxy • Secure Gateway to Authentication Service • Secure Gateway to Secure Ticket Authority • Secure Gateway to Logon Agent • Logon Agent to Authentication Service

  13. Web Interface

  14. SSL Certificate Issued to Internet FQDN, not necessarily the server name* Dates are valid Corresponding private key

  15. Server Certificate Server Certificate Root Certificate Certificate Placement

  16. Internet Single DMZ MetaFrame XP Presentation Server Farm Internet Explorer and ICA Client Secure GatewayService Gateway Client Internal Web Servers WebInterface MetaFrame Secure Access Manager Authentication Service + STA Logon Agent HTTP(S) Optional 3rd Party Auth ICA

  17. MetaFrame XP Server Farm Internet Explorer and ICA Client Secure Gateway Secure Gateway Proxy Internet Gateway Client Internal Web Servers WebInterface MetaFrame Secure Access Manager Authentication Service + STA Logon Agent HTTP(S) DMZ 1 DMZ 2 ICA 3rd Party Auth Dual Stage DMZ

  18. MMC Management Tools

  19. MMC Management Tools Continued…. • Secure access to all of your content • Files • Internal web content • Published applications • Management console • Log connections • Real time counters

  20. MMC Management Tools Continued…. • Real time… • User name • Domain • Server connected • Bytes transferred • Connection time • Connection date

  21. MMC Management Tools Continued…. Permon Statistics • Total failed…. • Ticket validations • Validations • Connections • ACL rejected …and more…

  22. Securing connections continued…. • Best Practices for Securing a Secure Gateway Deployment • CTX19376

More Related