Home » Citrix SmartAccess in a Box 4.5 Advanced Edition

Chapter 3: Citrix Access Gateway Advanced Edition Architecture

Posted January 14th, 2008 by roddyr

This chapter will start with a review of Citrix Access Gateway Advanced Edition components and traffic flow. The first section will review Advanced Access Control which runs on Microsoft Internet Information Services (IIS) following by an overview of the Citrix Access Gateway Standard Edition appliance.

Citrix Advanced Access Control can be deployed on a single IIS physical or virtual machine for evaluation purposes, or on multiple physical or virtual IIS machines for a production deployment. The next list highlights each individual Advanced Access Control feature and component.  Each component can be installed on a single IIS server for evaluation purposes or installed on dedicated physical or virtual servers for fault tolerance and high availability:

  • Web Server – facilitates connection establishment, session creation, and policy enforcement.  Hosts the NAV UI interface and forwards traffic to the Agent server for access center requests. The Web server consists of several modules including the Authentication Service, Endpoint Analysis Service, Session Manager, Web Proxy, Policy Engine, Auditing Service, Logon Agent Service, Gateway Notification Service, Gateway Configuration Service and Host.DLL (only for Access Centers). Each of these modules is reviewed further in this document.
  • HTML Preview Server – converts MS Office, Visio and Adobe PDF documents to HTML so they can be previewed with a browser. This scenario leaves the original document on the internal network. 
  • Server Farm Database Server – MSDE or MS SQL support. Stores all Advanced Access Control configurations that are made within the Access Suite Console.  Also stores static and dynamic session information for open, established sessions.

The next image shows Citrix Access Gateway Advanced Edition services and the inter-machine communication between a Citrix Access Gateway Standard Edition appliance and Citrix Advanced Access Control. 

Figure 3.1

Source Citrix 2006 Summit PowerPoint:

The Citrix Access Gateway Standard Edition appliance performs the heavy lifting within the Access Gateway Advanced Edition architecture. When an appliance starts up, it notifies the Advanced Access Control web server that it is online. The Advanced Access Control Web server then retrieves appliance configurations which are displayed in the management console.  The appliance also receives a list of available logon points and caches the static logon point resources to improve performance during the connection process. 

Table 3.1 lists the services that run on a Citrix Advanced Access Control machine.

Service

Explanation

Logon Agent Service

HTML rendering, page execution and validates rule sets. Communicates with the appliance Connection Manager.

Authentication Service

Ticket validation. Communicates with the appliance Connection Manager.

Endpoint Analysis Service

Receives Endpoint Analysis client requests from the appliance Endpoint Analysis Proxy.

Gateway Notification Service

Pushes state change notifications to the appliance Connection Manager.

Gateway Configuration Service

Receives cluster and session configuration requests from the appliance configuration service.

Session Manager

Pushes notification requests to the Gateway Notification Service.

Configuration Business Objects

Pushes notification requests to the Gateway Notification Service and receives cluster configurations from the Gateway Configuration Service.

Policy Engine

Receives session configuration from the Gateway Configuration Service.

Table 3.2 lists the services that run on a Citrix Access Gateway Standard Edition appliance.

Service

Explanation

Connection Manager

Manages client connections and communicates with the Logon Agent Service, Authentication Service and receives state notification changes from the Gateway Notification Service. 

Endpoint Analysis Proxy

Proxys client Endpoint Analysis requests to the Endpoint Analysis Service.

Configuration Service

Pushes cluster and session configuration requests to the Gateway Configuration Service.

Table 3.3 shows the appliance and Advanced Access Control responsibilities.

Citrix Access Gateway Standard Edition appliance Responsibilities

  • Detect new user sessions
  • Proxy traffic between the client workstation and LAN (such as between the endpoint analysis client on the client workstation and the endpoint analysis service on the Advanced Access Control Web server, or between the Secure Access Client (VPN client) and a server in the LAN)
  • Cache static resources used during the authentication (login) sequence
  • Coordinate with Advanced Access Control to deliver dynamic pages used during the logon sequence, and validate the user responses prior to forwarding them back to Advanced Access Control.
  • Enforce Advanced Access Control policies specific to the appliance (obtained as a result of logon) on each user session
  • Associate each user session with an Advanced Access Control session key
  • Ensure that each user session has a valid Advanced Access Control session (to ensure proper product licensing)
  • Refresh user sessions when requested by Advanced Access Control

Citrix Advanced Access Control Responsibilities

  • Allow system administrators to define access and connection policies
  • Allow system administrators to define endpoint analysis rules
  • Perform endpoint analysis by communicating with the endpoint analysis client running on the end users workstation.
  • Accept or reject a user session based on endpoint analysis scan results and user credentials
  • Drive the endpoint analysis, authentication, and client activation process with the assistance of the appliance
  • Furnish the appliance with an XML description of the session policies.  This session is identified by means of a common session key defined by Advanced Access Control.
  • Notify the appliance(s) when a change has occurred to a user session.  This indicates to the Access Gateway to refresh session policies for all active sessions.
  • Perform system maintenance on the Access Gateway appliance (such as notifying when configuration changes have been made)
  • Perform URL re-writing and document protection
  • Allow web-based access to file shares
  • Generate a portal (landing page) for the user session
  • Acquire and release product licenses from the Citrix License Server

  

Appliance, Advanced Access Control and Access Management Console Traffic & Firewall Traversal

As shown in the previous section, there are various ports used for inter-machine communication. The next list below highlights which ports are used for inter-machine and admin console communication.

  • 80 or 443 for an appliance to make requests to Advanced Access Control.
  • 9005 for Advanced Access Control to notify an appliance of configuration changes. This is called the notification port.
  • 9002 for Access Gateway Administration Tool using the Java console (assuming your XP workstation below is behind the firewall)
  • 9001 for Access Gateway Administrative Portal and the Citrix Admin Monitor.

The Access Gateway Administration Portal is an HTML interface which is accessible by pointing a Web browser to https://yourgatewayname:9001. It allows administrators to perform basic maintenance and provides the ability to download documentation, installers and log files for a single appliance.

Figure 3.2

The Administration Desktop is used for monitoring an appliance. It allows access to a variety of on-board monitoring tools.

Authentication Flow
This section will review the authentication flow. The next image shows the authentication flow from a client device through Active Directory.

Figure 3.3

Source Citrix 2006 Summit PowerPoint:

This section will review each step in the authentication flow starting from the client device to Active Directory including the Citrix Presentation Server environment.

Client -- Appliance
A user points her browser to an SSL encrypted logon point using HTTPS on port 443, i.e. https://yourcompany.com. The user enters her credentials and clicks the Login button to gain access to the NAV UI or to launch the Secure Access client.

Appliance -- Authentication Service
The credentials from the above logon event are passed as unencrypted data in a SOAP envelope from the appliance to the Authentication Service on a Citrix Advanced Access Control Web server. The SOAP traffic can and “should” be encrypted using SSL.

Logon Agent Service -- Logon Point
The Logon Agent Service passes the credentials via HTTP to the Logon Point, i.e. localhost: 80. The Logon Agent Service connects to the Logon Point on behalf of gateway users essentially acting as a connection proxy.

Logon Point – Authentication Service
The Logon Point passes the credentials in a SOAP envelope to the Authentication Service, i.e. localhost:80.

Authentication Service -- Active Directory
The Authentication Service authenticates the users to Active Directory using Kerberos or NTLM.

Appliance Connection Manager – Citrix Presentation Server Secure Ticket Authority (STA)
There is actually no user name or password information transferred from the Access Gateway to the Secure Ticket Authority. A session ticket is passed as an XML message in HTTP from the Appliance Connection Manager to the Secure Ticket Authority. The Session Ticket information is sensitive because it contains Citrix Presentation Server connection information which allows a user to open an ICA connection through the firewall.

Note: All Citrix Access Gateway Advanced Edition environments should use SSL or IPSEC to secure the Secure Ticket Authority traffic.
   
Authentication Service -- Presentation Server XML Service
The username/domain is sent in clear text although the password is encoded with a hash. The XML message can and should be encrypted using SSL. There is a checkbox in the Presentation Server farm settings to configure SSL to secure the traffic. 

‹ Chapter 2: The Citrix Access Gateway Product LineupChapter 4: Access Gateway Advanced Edition System Design ›