Home » Citrix SmartAccess in a Box 4.5 Advanced Edition

Chapter 4: Access Gateway Advanced Edition System Design

Posted January 14th, 2008 by roddyr

This chapter will review Citrix Access Gateway Advanced Edition system design. The first section will review a remote access design with a Citrix Access Gateway Standard Edition appliance placed in a DMZ. The following section will review an internal access design with a Citrix Access Gateway Standard Edition appliance placed in a DMZ between the user and data security domains.

Both examples in Chapter 4 will reference three basic security domains in terms of system design; the data, the user and the transport security domain. Let's review the security domaines before we move on to our design examples. The data security domain is represented in the figure 4.1 as a data center and a DMZ network. The data security domain is split between two isolated networks, one isolated network is hosting the IT infrastructure (the data center) and the second isolated network is hosting services in the DMZ. The user security domain is represented in Figure 4.1 as an isolated network where the end users and their network devices live. The transport security domain is what connects all of the security domains, i.e. the user and data security domains to each other and to the Internet. These terms are tipically defined in an organization’s enterprise security architecture.

Figure 4.1 shows the three security domain referenced throughout this chapter.

Note: If an organization wishes to enforce SmartAccess policies, network traffic between the user and the data security domains must flow through a Citrix Access Gateway Standard Edition appliance and each workstation must have a Citrix Secure Access client installed.

DNS Resolution
As shown in the authentication flow section, appliances need to communicate with the Advanced Access Control web servers - outbound from the web server on port 9005 and inbound to the web server on port 80 or 443. The appliances will not make DNS resolution to internal Web, File and email resources. Advanced Access Control does not provide all address resolution for an appliance unless the Advanced Access Control web server itself is a DNS server (not very common) and you have configured an appliance to point to Advanced Access Control to handle resolution requests. If Advanced Access Control is not a DNS server, any resource not accessed through the web proxy must be resolvable by an appliance. This is why it is necessary to configure DNS server settings and suffixes on any Citrix appliance.

Remote Access
This section will review three different remote access designs with an appliance in a DMZ. The difference between the three designs is how the appliance’s two Ethernet ports are used and which network segments the NICs are placed in. The first example will use one Ethernet port (int0) which requires meticulous firewall rules to allow traffic to flow from the appliance which is placed in the DMZ to each desired service or network resource in the data security domain. The second design uses both Ethernet ports int0 and int1 straddling the DMZ. This design works without any additional firewall rules or configurations between the DMZ and data security domain, effectively routing and filtering traffic through a Citrix Access Gateway Standard Edition appliance. The downside to this configuration is that the second NIC is placed in the data center security domain eliminating the ability to execute deep packet inspection on the second NIC. The third example places both Ethernet ports int0 and int1 in the DMZ. Int0 is used as the external NAT address while int1 is used for communication to the data security domain. This design gives firewall administrators the ability to create meticulous firewall rules on the second NIC and allow deep packet inspection to be configured on int1.

Exchange and Outlook Support
If supporting Exchange and Outlook synchronization is a requirement, it may be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option is to configure static ports for the Exchange Server service (http://support.microsoft.com/?kbid=270836).

Design 1: The Citrix Access Gateway Standard appliance is located in the DMZ using a single NIC

Appliance is placed in a DMZ using a single Ethernet port int0.

  • This requires port 443 to be open to the Internet for remote access. Also, all desired ports are opened between the DMZ and data security domain to allow the delivery of services i.e. internal DNS, IMAP, POP3, SNMP, HTTP, SMB, LDAP, etc… If Outlook synchronization is a requirement, it will be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default, the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option is to configure static Exchange Service ports.
  • Port 80 or 443 is used by an appliance to make requests to an Advanced Access Control server; 9005 is used by the Advanced Access Control machine to notify an appliance of configuration changes; 9002 provides access to the Access Gateway Administration Tool using the Java console; 9001 is used by the Access Gateways Administrative Portal and the Citrix Admin Monitor.

Figure 4.2 shows an appliance in a DMZ using a single Ethernet port, int0.testtest

Design 2: The Citrix Access Gateway Standard appliance is located in the DMZ using both NICs straddling the DMZ

Appliance straddles a DMZ and both Ethernet ports int0 and int1 are used.

  • This requires port 443 to be open to the Internet and no additional firewall rules need to be created between the DMZ and data security domain. When an appliance straddles a DMZ this effectively bridges the DMZ and data center network allowing all traffic to flow through the appliance.

 Figure 4.3 shows an appliance straddling a DMZ using both Ethernet ports int0 and int1.

Design 3: The Citrix Access Gateway Standard appliance is located in the DMZ using both NICs in the DMZ

Appliance sits in a DMZ and both Ethernet ports int0 and int1 are used.

    • Int0: This requires port 443 to be open to the Internet for remote access. Int1: All desired ports to be open between the DMZ and data security domain to allow the delivery of services. i.e. Internal DNS, IMAP, POP3, SNMP, HTTP, SMB, LDAP, etc… If Outlook synchronization is a requirement it will be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option would be to configure static Exchange Service ports.
    • Int1: Ports 80 or 443 is open so an appliance can make requests to an Advanced Access Control server; 9005 is used by an Advanced Access Control machine to notify an appliance of configuration changes; 9002 for is used by the Access Gateway Administration Tool using the Java console; 9001 is used for the Access Gateways Administrative Portal and the Citrix Admin Monitor.

Figure 4.4 shows an appliance in a DMZ where both Ethernet ports int0 and int1 are used.

Internal Access

An internal access design uses the same strategies as shown in three previous examples. The difference between the above example designs is how the appliance’s Ethernet ports are used and in which network segments the NICs are placed. The first internal access example will use one Ethernet port (int0) which requires meticulous firewall rules to allow traffic to flow from the appliance in the DMZ to each desired service or network resource in the data security domain. The second design uses both Ethernet ports int0 and int1 straddling the DMZ. The second example design works without the need of any additional firewall rules between the DMZ and data center network, effectively routing and filtering traffic through a Citrix Access Gateway Standard appliance. The downside to this configuration is that the second NIC is placed in the data security domain eliminating the ability to do deep packet inspection on the second NIC. The third example places both Ethernet ports int0 and int1 in the DMZ. Int0 is used as the external NAT address while int1 is used for communication to the data security domain. This configuration allows firewall administrators the ability to create meticulous firewall rules on the second NIC and allows deep packet inspection on int1.

If an organization has the need to enforce SmartAccess protocol entitlements, network traffic between user and the data center networks must flow through an Access Gateway appliance. In this scenario each end point device must have a Secure Access client. In the event that SmartAccess policies are not required, end points can communicate directly with an Advanced Access Control web server. This scenario does not require any additional configurations on existing switches or routers nor is a Secure Access client required on the workstation.

Tip: This may be preferred in thin client and non-windows environments where an Access client cannot be installed. 

Design 1: The Citrix Access Gateway Standard appliance is located in the DMZ using a single NIC

  • This requires port 443 to be open to the Internet for remote access. Also, all desired ports are opened between the DMZ and data security domain to allow the delivery of services i.e. internal DNS, IMAP, POP3, SNMP, HTTP, SMB, LDAP, etc… If Outlook synchronization is a requirement, it will be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default, the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option is to configure static Exchange Service ports.
  • Port 80 or 443 is used by an appliance to make requests to an Advanced Access Control server; 9005 is used by the Advanced Access Control machine to notify an appliance of configuration changes; 9002 provides access to the Access Gateway Administration Tool using the Java console; 9001 is used by the Access Gateways Administrative Portal and the Citrix Admin Monitor.

Figure 4.5 shows an appliance in a DMZ between the user and data security domains.

Design 2: The Citrix Access Gateway Standard appliance is located in the DMZ using both NICs straddling the DMZ

  • This requires port 443 to be open to the Internet and no additional firewall rules need to be created between the DMZ and data security domain. When an appliance straddles a DMZ this effectively bridges the DMZ and data center network allowing all traffic to flow through the appliance.

Figure 4.6 shows an appliance straddling a DMZ and both Ethernet ports int0 and int1 are used.

Design 3: The Citrix Access Gateway Standard appliance is located in the DMZ using both NICs in the DMZ

  • Int0: This requires port 443 to be open to the Internet for remote access. Int1: All desired ports to be open between the DMZ and data security domain to allow the delivery of services. i.e. Internal DNS, IMAP, POP3, SNMP, HTTP, SMB, LDAP, etc… If Outlook synchronization is a requirement it will be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option would be to configure static Exchange Service ports.
  • Int1: Ports 80 or 443 is open so an appliance can make requests to an Advanced Access Control server; 9005 is used by an Advanced Access Control machine to notify an appliance of configuration changes; 9002 for is used by the Access Gateway Administration Tool using the Java console; 9001 is used for the Access Gateways Administrative Portal and the Citrix Admin Monitor.

Figure 4.7 shows an appliance in a DMZ and both Ethernet ports int0 and int1 are used.

The next section will review fault tolerance and high availability configurations.

Fault Tolerance and High Availability Design Considerations

Both components in a Citrix Access Gateway Advanced Edition solution, namely an appliance and the Advanced Access Control web server, can be configured to provide fault tolerance and high availability by utilizing hardware load balancing. Multiple Access Gateways as well as Advanced Access Control web servers can be load balanced by using a virtual IP (VIP) with the appropriate DNS entries.

Figure 4.8 shows a fault tolerant design.

Indecently Citrix has a hardware load balancing product portfolio that can be used to load balance Citrix Access Gateway Standard Edition appliances as well as Advanced Access Control web servers.

The following list shows the desired load balancing persistence metrics:

From Access Gateway to Advanced Access Control.

  • Layer 7 LB: Cookie Hashing
  • Cookie Name: LogonSessionID

From Secure Access client to Access Gateway.

  • SSL SessionID

 

‹ Chapter 3: Citrix Access Gateway Advanced Edition ArchitectureupChapter 5: SmartAccess Policy Development ›