Chapter 2: The Citrix Access Gateway Product Line
The Citrix Access Gateway product line has three Editions: Enterprise, Advanced and Standard. The Citrix Access Gateway Enterprise Edition is aimed at Presentation Server and networking buyers with the most demanding remote access needs (up to 10,000 users). The Citrix Access Gateway Advanced Edition is a mid-market solution (up to 1000 users) aimed at Presentation Server buyers who need intellectual property control. The Citrix Access Gateway Standard Edition is an entry-level solution (up to 200 users) aimed at Presentation Server buyers who need an appliance-based Citrix Secure Gateway alternative.
The Standard and Advanced Editions run on Citrix’s Net6 platform. Citrix acquired Net6 for approximately $50 million in the fourth quarter of 2004. The Advanced Edition uses the Net6 appliance for layer 3 tunneling and a software component that runs on Internet Information Server (IIS) for layer 4 through 7 NAC. Some of the software components where developed by Citrix in-house and others came by way of acquisition of a small Canadian start-up company named Motivus. The Enterprise Edition runs on the Citrix NetScaler platform and provides layer 3 tunneling and layer 4 through 7 NAC on a single appliance. Citrix acquired NetScaler for approximately $300 million in the third quarter of 2005. The Net6 acquisition gave Citrix an entry level SSL VPN appliance that helped establish Citrix as a leader in the SSL VPN market. The NetScaler acquisition gave Citrix next-generation application networking acceleration, load balancing and SSL VPN functionality on an established and well respected platform.
Figure 2.1 shows the Citrix Access gateway Product line.
Table 2.1 highlights the key features and capabilities of each Citrix Access Gateway Edition.
|
Access Gateway 4.5, Standard Edition |
Access Gateway 4.5, Advanced Edition |
Access Gateway 8.0, Enterprise Edition |
|
|
VPN tunneling |
• |
• |
• |
|
Secure Gateway replacement |
• |
• |
• |
|
Supports Access Gateway Universal license |
• |
• |
• |
|
End-point analysis |
• |
• |
• |
|
Two-factor authentication |
• |
• |
• |
|
Centralized management |
• |
• |
• |
|
Failover support |
• |
• |
• |
|
VPN client integration with Windows GINA |
• |
• |
|
|
Non-administrative install of VPN client |
• |
• |
|
|
Multi-lingual interface |
• |
• |
|
|
Dynamic token replacement |
• |
||
|
Extensible end-point analysis SDK |
• |
||
|
Web-based access to e-mail |
• |
||
|
Multi-farm support for Presentation Server |
• |
||
|
Web Interface portal integration |
• |
||
|
Clientless, browser- only access |
• |
||
|
SmartAccess for Presentation Server applications |
• |
• |
|
|
SmartAccess for Web applications (FTA, HTML preview, etc.) |
• |
||
|
Access scenario fallback to ICA only (based on EPA) |
• |
||
|
Detailed audit trail |
• |
• |
|
|
High availability |
• |
||
|
Client-side cache clean-up |
• |
||
|
Server-initiated connections |
• |
||
|
Client certificate authentication (for smart card authentication) |
• |
||
|
Security certifications |
FIPS 140-2 (optional) ICSA |
||
|
Virtualized SSL VPN |
• |
||
|
Delegated administration |
• |
||
|
AppCompress technology (speeds application response) |
• |
Table 2.2 explains each of the capabilities of the Citrix Access Gateway product line.
|
Feature |
Explanation |
|
VPN tunneling |
The entire Citrix Access Gateway product line provides layer 3 tunnels with layers 4 through 7 policy control, e.g. NAC, providing a direct, secure communication link between the end point and the application. IPSec VPN solutions, such as Cisco and Nortel, use a layer 3 tunnel without any application layer policy control, which can result in potential security breaches and open access to the network. |
|
Secure Gateway replacement |
Citrix Presentation Server customers may be using the software-based Secure Gateway feature to securely deliver Presentation Server hosted applications to remote users. Citrix Access Gateway offers increased functionality such as full layer 3 tunneling and layer 4 through 7 policies controls, stronger security and reduced complexity. |
|
Supports Access Gateway Universal license |
Citrix Presentation Server Platinum customers receive a concurrent user (CCU) Access Gateway Universal license that can be applied to any of the three Access Gateway editions: Standard, Advanced or Enterprise. |
|
End-point analysis |
End-point analysis provides a way to enforce security policies by validating the compliance a Windows device before it gains access to the network. Compliance is validated by running an ActiveX scan against the operating system and then establishing appropriate policies based on the evidence collection from the scan. |
|
Two-factor authentication |
Common implementations of two-factor authentication use 'something you know' such as a password as one of the two factors, and use either 'something you have' i.e. a token or 'something you are' i.e. biometrics such as a fingerprint as the other factor. |
|
Centralized management |
The ability to manage multiple appliances from a single console. |
|
VPN client integration with Windows GINA |
Enables transparent user logon to the corporate network by integrating with the Windows GINA ("ctrl + alt + del" prompt) logon process. |
|
Non-administrative install of VPN client |
VPN client for layer 3 traffic can be installed without administrative privileges. |
|
Multi-lingual interface |
Supports a variety of locals. |
|
Dynamic token replacement |
Allows the use of system variables, i.e. the dynamic system token variables, e.g. #<HomeDirectory>. |
|
Extensible end-point analysis SDK |
Allows custom end-point scans developed via the end-point analysis SDK. |
|
Web-based access to e-mail |
Allows clientless, e.g. browser based access to e-mail, without the need of a layer 3 tunnel. |
|
Multi-farm support for Presentation Server |
Supports the aggregation of multiple Presentation Server farms into a single Web Interface portal. |
|
Web Interface portal integration |
Seamless Web Interface integration with SSO. |
|
Clientless, browser- only access |
Clientless remote access for internal web applications using URL re-writing. |
|
SmartAccess for Presentation Server applications |
The ability to control ICA virtual channels using the evidence collected from End-point analysis. |
|
SmartAccess for Web applications (FTA, HTML preview, etc.) |
The ability to control Web applications (FTA, HTML preview, etc.) using End-point analysis. |
|
Access scenario fallback to ICA only (based on EPA) |
The ability to fall back on ICA (clientless access) using End-point analysis. |
|
Detailed audit trail |
Support for detailed auditing. |
|
Client-side cache clean-up |
Client-side cache clean-up allow administrators to select the data types that need to be deleted when users log off. |
|
Client certificate authentication (for smart card authentication) |
The ability to configure the Access Gateway to use a smart card to authenticate users. |
|
Security certifications |
Standards for commercial security products, i.e. ICSA Labs, FIPS, VPNC, CSIA. |
|
Delegated administration |
Delegated administration provides a mechanism for propagating administrative privileges down a hierarchy of roles. |
Citrix SmartAccess Clients
Before we examine the feature set of Citrix Access Gateway Advanced Edition let's review the client requirements of Citrix Access Gateway Advanced Edition. To enforce SmartAccess policies a total of three clients may be required on the end-point; the Secure Access Client and two ActiveX clients. The Secure Access Client is a Win32 client that is used to establish a layer 3 tunnel. The first of the two ActiveX clients is used to run end-point scans while the latter enables Citrix Live Edit. Note that the Secure Access Client will require administrative or power user rights to install and both Active X clients may require your IE browser's security to allow the installation of Active X controls.
Table 2.3 shows the various SmartAccess clients, which functionality they provide, and which platform they are supported on.
|
Client |
Functionality |
Supported Platform |
|
Web Browser |
NAV UI |
Windows, MAC and Linux with Internet Explorer, Safari and Mozilla |
|
ICA Client |
Access to Citrix Presentation Server hosted applications |
Any |
|
Java Runtime Environment (JRE) |
Access to Citrix Presentation Server hosted applications via Citrix’ Java ICA client. |
Any |
|
Secure Access Client |
Layer 3 tunnel |
Windows |
|
ActiveX controls |
End point scans and Live Edit |
Windows |
Table 2.4 highlights Access Gateway Advanced Edition browser support.
|
Platform |
Browsers |
|
|
|
|
|
|
|
|
|
|
|
|
It is important to consider your browser requirements when designing an application delivery solution with Access Gateway Advanced Edition. The following requirements should be considered to ensure that you are able to meet your business requirements.
1. Features only supported on the Windows platform:
- Live Edit requires Windows 2000 or XP with IE 6+ configured to download signed ActiveX controls
- Endpoint Analysis requires Windows 98 and above with IE 5+ configured to download signed ActiveX controls or Netscape 7+ or Mozilla Firefox when used as a plug-in
2. The following features are available with a browser, i.e. "clientless" without the need to install any Citrix clients on the end-point device:
- When utilizing HTML preview capabilities to view accessible documents
- When accessing email using the web-based native email client
Note: Clientless access is only supported without end-point analysis.
3. Small form factor devices support is limited to the following interfaces:
- Native web-based email interface
- Web-based file shares
- Authentication screen
- Default homepage UI
- The re-factoring of documents is limited to simple text, html and Office documents
Citrix Access Gateway Standard Edition Hardware Specifications
The Access Gateway Standard has one hardware models, the 2000 which is built for Citrix on hardware from Supermicro.
List 2.1 highlights the Access Gateway 2000 specifications:
- 2.8 GHz P4
- 1 GB RAM
- 40 GB Drive
- 2 NICs (1 GB each)
- 1 Rack Unit in height – with rail kit
- Access Gateway firmware (software)
- Port access 443/9001
- 200 concurrent connections at 300 MB/s
- VoIP support
