Chapter 1: An Introduction to Citrix SmartAccess

Citrix SmartAccess is Citrix’s flavor of Network Access Control (NAC) that is a feature within the Citrix Access Gateway product line. NAC is a technical method that grants access to enterprise resources based upon on a variety of user variables and the posture of the user’s end-point device. NAC allows organizations to enforce security policies by verifying a device's compliance to corporate security standards before a user and the device are granted access to the network. Today NAC comes in many flavors from a multitude of hardware and software vendors. Many vendors such as Citrix include NAC as an SSL VPN feature. There are also late entrants into the NAC arena like Microsoft with Network Access Protection (NAP), which will be included in Vista and Windows Server 2008, as well as Cisco's Network Admission Control (NAC). Both Microsoft and Cisco have taken an interesting approach to NAC, by integrating NAC into their core platform. Microsoft’s NAP technology will be a feature within their Windows Server 2008 platform and Cisco’s NAC is an extensible platform for their networking gear. Regardless of the technology NAC solutions endeavor to provide layer 4 through 7 policies control based on a variety of user variables and the posture of the user’s end-point device.

In today business climate, organizations must provide simple and secure access to network resources by remote workers, and business partners to stay competitive. One of the challenges with allowing remote workers access to the corporate network is to secure the corporate network from unauthorized access and virus infection. Organizations are turning to SSL VPNs to provide browser based remote access to their internal network along with NAC to reduce the risk of unauthorized access and virus infection by employing NAC security policies before a user is allowed on the internal network. SSL VPN’s offer browser initiated layer 3 tunnels along with layer 4 through 7 NAC. NAC can help keep infected PCs of the network, which is especially troublesome with organizations that support laptops being used at work, home and all points in-between.

Citrix SmartAccess allows organizations to map their written security policies in terms of application access and application functionallity to SmartAccess policies.  SmartAccess policies provide granular control to applications hosted on Citrix Presentation Servers in a Business to Employee (B2E) or Business to Business (B2B) format. The key factor that differentiates SmartAccess from  NAC from other vendors is that SmartAccess provides security controls to the application layer, e.g. applications that are delivered via Citrix Presentation Server. The term that best describes Citrix’ implementation of NAC is “network application control”.

Citrix’s implementation of NAC policies like many other SSL VPN vendors is based on the result of end-point analysis and other session properties such as authentication types. End-point analysis is enabled by an ActiveX control.  The ActiveX control is delivered by the appliance to the Windows end-point devices. The ActiveX control executes the end-point analysis, then the end-point analysis results are parsed by the Advanced Access Control web server which in turn enforces SmartAccess policies. SmartAccess capabilities determine which networks and Citrix Presentation Server applications are available within a user’s session. From a layer 7 perspective (the application layer), SmartAccess provides control over Citrix Presentation Server hosted applications by enabling or disabling ICA virtual channels, e.g. client driver mappings, clip board (cut and paste), client printing and so forth. For example, a user accesses the system from an un-trusted end-point device; the user may not get access to sensitive business-critical applications. Another example of SmartAccess is local printing and drive mapping cannot be used when connecting from un-trusted device, but is available when connecting from a managed end-point device.

When a user moves to a different device, the appliance will scan the new device and reconnect the user to Citrix Presentation Server applications based on the result from the scan of the different device. For example, a sensitive financial application may be locked down to only permit access from within the corporate network. As a user roams to a device outside of the corporate network, users can be prevented from reconnecting to their disconnected Citrix Presentation Server session(s). The ability to control and monitor layer 3 access and layer 4 through 7 policies with Citrix SmartAccess can increases an organization security posture and help satisfy regulatory mandates.