Home

Citrix Access Gateway Advanced Edition Architecture and System Design

Posted August 21st, 2008 by roddyr

Citrix Access Gateway Advanced Edition Architecture and System Design

Author:
Roddy Rodstein, CISSP, MCSE, CEH, CCA
 
Limits of Liability and Disclaimer of Warranty
 
This publication contains information protected by copyright. This publication may not be duplicated in any way without the express written consent of the publisher, except in the form of brief excerpts or quotations for the purpose of review. The information contained herein is for the personal use of the reader and may not be incorporated in any commercial programs, other books, databases, or any kind of software without the written consent of the publisher. Making copies of this publication or any portion for any purpose other than your own is a violation of United States copyright laws.
 
Warning and Disclaimer
 
Every effort has been made to make this publication as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an "as is" basis. The authors and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this publication.
 
The information found in this publication was gathered from many different sources in the computing world. It is provided for informational purposes only. Use common sense in applying these concepts and tips. Screen shots may vary from environment to environment.  Please verify correctness and applicability in a test environment first and then deploy to your production environment(s).
 
© 2008 Roddy Rodstein
http://seoutsourcing.com
All rights reserved.
 
Trademarks
 
Trademarked names appear throughout this publication. Rather than listing the names and entities that own the trademarks or include a trademark symbol with each mention of the trademark name, the publisher states that he is using the name for editorial purposes only and to the benefit of the trademark owner, with no intention of infringing upon that trademark.
 
About the Author 
 
Roddy Rodstein (CISSP, MCSE, LPI, CEH, CCA) has over 10 years of professional experience in the IT industry. In his current role at Oracle, he is a member of the Unbreakable Linux and Oracle VM team. Before joining Oracle, Roddy spent six years at Citrix supporting the company's core product, XenApp. During his tenure with Citrix, he wrote and published an “in the Box” series of e-Books, including Nfuse Elite in a Box, MetaFrame Secure Access Manager in a Box, MetaFrame Presentation Server for UNIX in a Box, and Citrix SmartAccess in a Box. Earlier in his career, Roddy successfully established, owned, and operated an IT consulting business that specialized in server based computing and remote access solutions. His professional achievements also extend to writing and self-publishing industry reference guides currently available on Amazon, Securing Microsoft Terminal Services (ISBN: 061514330X) and Citrix CCA MetaFrame 1.8 for Windows Exam Cram (ISBN: 1576109453).
 
 
Table of Contents
 
 
The first section of the Citrix Access Gateway Advanced Edition Architecture and System Design publication will review Citrix Access Gateway Advanced Edition components, traffic flow and system design.
 
 
The components and traffic flow section will provide an overview of Citrix Access Gateway Advanced Edition components and traffic flow. The first section will review Citrix Advanced Access Control followed by a review of the Citrix Access Gateway Standard Edition appliance.
 
Citrix Advanced Access Control can be deployed on a single Windows server for evaluation purposes, or on multiple Windows servers for a production deployment. List 1.1 highlights each Citrix Advanced Access Control feature and component. Each Citrix Advanced Access Control component can be installed on a single server for evaluation purposes or installed on dedicated servers for fault tolerance and high availability:
 
List 1.1
  • Web Server – The Web Server facilitates connection establishment, session creation, and policy enforcement. The Web server hosts the NAV UI interface and forwards traffic to the Agent server for access center requests. The Web server consists of several modules including the Authentication Service, Endpoint Analysis Service, Session Manager, Web Proxy, Policy Engine, Auditing Service, Logon Agent Service, Gateway Notification Service, Gateway Configuration Service and Host.DLL (only for Access Centers).
  • HTML Preview Server – The HTML Preview Server converts MS Office, Visio and Adobe PDF documents to HTML so they can be previewed with a browser. The HTML Preview Server leaves the original document on the internal network. 
  • Server Farm Database Server – The Server Farm Database Server supports MSDE or MS SQL. The Server Farm Database Server stores all Advanced Access Control configurations that are made within the administrative console. The Server Farm Database Server also stores static and dynamic session information for open and established sessions.
 
Figure 1.1 shows Citrix Access Gateway Advanced Edition services and the inter-machine communication between a Citrix Access Gateway Standard Edition appliance and Citrix Advanced Access Control. 
 
Figure 1.1
Source Citrix 2006 Summit PowerPoint:
 
 
The Citrix Access Gateway Standard Edition appliance performs the heavy lifting within the Access Gateway Advanced Edition architecture. When an appliance starts up, it notifies the Citrix Advanced Access Control Web server that it is online. It then retrieves appliance configurations, which are displayed in the administrative console. The appliance also receives a list of available logon points and caches the static logon point resources to improve performance during the connection process. 
 
Table 1.1 lists the services that run on a Citrix Advanced Access Control machine.
 
Table 1.1

Service
Explanation
Logon Agent Service
HTML rendering, page execution and validates rule sets. Communicates with the appliance Connection Manager.
Authentication Service
Ticket validation. Communicates with the appliance Connection Manager.
Endpoint Analysis Service
Receives Endpoint Analysis client requests from the appliance Endpoint Analysis Proxy.
Gateway Notification Service
Pushes state change notifications to the appliance Connection Manager.
Gateway Configuration Service
Receives cluster and session configuration requests from the appliance configuration service.
Session Manager
Pushes notification requests to the Gateway Notification Service.
Configuration Business Objects
Pushes notification requests to the Gateway Notification Service and receives cluster configurations from the Gateway Configuration Service.
Policy Engine
Receives session configuration from the Gateway Configuration Service.

 
Table 1.2 lists the services that run on a Citrix Access Gateway Standard Edition appliance.
 
Table 1.2

Service
Explanation
Connection Manager
Manages client connections and communicates with the Logon Agent Service, Authentication Service and receives state notification changes from the Gateway Notification Service. 
Endpoint Analysis Proxy
Proxy’s client Endpoint Analysis requests to the Endpoint Analysis Service.
Configuration Service
Pushes cluster and session configuration requests to the Gateway Configuration Service.

Table 1.3 shows the appliance and Advanced Access Control responsibilities.
 
Table 1.3

Citrix Access Gateway Standard Edition Responsibilities
·        Detect new user sessions
·        Proxy traffic between the client workstation and LAN (such as between the endpoint analysis client on the client workstation and the endpoint analysis service on the Advanced Access Control Web server, or between the Secure Access Client (VPN client) and a server in the LAN)
·        Cache static resources used during the authentication (login) sequence
·        Coordinate with Advanced Access Control to deliver dynamic pages used during the logon sequence, and validate the user responses prior to forwarding them back to Advanced Access Control.
·        Enforce Advanced Access Control policies specific to the appliance (obtained as a result of logon) on each user session
·        Associate each user session with an Advanced Access Control session key
·        Ensure that each user session has a valid Advanced Access Control session (to ensure proper product licensing)
·        Refresh user sessions when requested by Advanced Access Control
Citrix Advanced Access Control Responsibilities
·        Allow system administrators to define access and connection policies
·        Allow system administrators to define endpoint analysis rules
·        Perform endpoint analysis by communicating with the endpoint analysis client running on the end users workstation.
·        Accept or reject a user session based on endpoint analysis scan results and user credentials
·        Drive the endpoint analysis, authentication, and client activation process with the assistance of the appliance
·        Furnish the appliance with an XML description of the session policies. This session is identified by means of a common session key defined by Advanced Access Control.
·        Notify the appliance(s) when a change has occurred to a user session. This indicates to the Access Gateway to refresh session policies for all active sessions.
·        Perform system maintenance on the Access Gateway appliance (such as notifying when configuration changes have been made)
·        Perform URL re-writing and document protection
·        Allow web-based access to file shares
·        Generate a portal (landing page) for the user session
·        Acquire and release product licenses from the Citrix License Server

 
As shown in the previous section, there are various ports used for inter-machine communication. List 1.2 highlights which ports are used for inter-machine and admin console communication.
List 1.2
  • 80 or 443 for an appliance to make requests to Advanced Access Control.
  • 9005 for Advanced Access Control to notify an appliance of configuration changes. This is called the notification port.
  • 9002 for Access Gateway Administration Tool using the Java console (assuming your XP workstation below is behind the firewall)
  • 9001 for Access Gateway Administrative Portal and the Citrix Admin Monitor.
The Access Gateway Administration Portal is an HTML interface which is accessible by pointing a Web browser to https://yourgatewayname:9001. It allows administrators to perform basic maintenance and provides the ability to download documentation, installers and log files for a single appliance.
 
Figure 1.2 shows the Access Gateway Administration Portal user interface.
 
The Administration Desktop is used for monitoring an appliance. It allows access to a variety of on-board monitoring tools.
 
Authentication Flow
 
This section will review Citrix Access Gateway Advanced Edition authentication flow. Figure 1.3 shows the flow of an Active Directory authentication initiated from a web browser.
 
Figure 1.2
Source Citrix 2006 Summit PowerPoint, updated by Roddy Rodstein:
 
The next section will review the Citrix Access Gateway Advanced Editon authentication flow starting from the client device to Active Directory including the Citrix XenApp or Citrix XenDesktop components.
 
1.      Client -- Appliance
A user points her browser to an SSL encrypted Logon Point using HTTPS on port 443, i.e. https://yourcompany.com. The user enters her credentials and clicks the Login button.
  
2.      Appliance -- Authentication Service
The credentials from step 1 are passed as unencrypted data in a SOAP envelope from the appliance to the Authentication Service on a Citrix Advanced Access Control Web server.
 
Note: The SOAP traffic can and “should” be encrypted using SSL. By default the SOAP traffic is not encrypted.
 
3.      Logon Agent Service -- Logon Point
The Logon Agent Service passes the credentials via HTTP to the Logon Point, i.e. localhost: 80. The Logon Agent Service connects to the Logon Point on behalf of gateway users essentially acting as a connection proxy.
 
4.      Logon Point – Authentication Service
The Logon Point passes the credentials in a SOAP envelope to the Authentication Service, i.e. localhost:80.
 
5.      Authentication Service -- Active Directory
The Authentication Service authenticates the users to Active Directory using Kerberos or NTLM.
 
6.      Appliance Connection Manager – Citrix XenApp or XenDesktop Secure Ticket Authority (STA)
There is actually no user name or password information transferred from the Access Gateway to the Secure Ticket Authority. A session ticket is passed as an XML message in HTTP from the Appliance Connection Manager to the Secure Ticket Authority. The Session Ticket information is sensitive because it contains Citrix XenApp or Citrix XenDesktop connection information, which allows a user to open an ICA connection through the firewall.
 
Note: All Citrix Access Gateway Advanced Edition environments should use SSL or IPSEC to secure all Secure Ticket Authority traffic.
   
7.      Authentication Service -- Presentation Server XML Service
The username/domain is sent in clear text although the password is encoded with a simple hash. The XML message can and should be encrypted using SSL. There is a checkbox in the Citrix XenApp or Citrix XenDesktop farm settings to configure SSL to encrypt the XML traffic. 
 
 
The next section will review the required Citrix and Microsoft services to support a Citrix Access Gateway Advanced Edition implementation.
 
 
The Citrix Infrastructure Services required to support a Citrix Access Gateway Advanced Edition includes the following:
 
  • Citrix XenApp
  • Citrix XenDesktop
  • Citrix XenApp Web
  • Citrix Access Gateway Standard Edition appliance
  • Citrix Advanced Access Control
  • Citrix License Server
  • Citrix Netscaler (optional load balancing component)
  • Microsoft Active Directory
  • Microsoft SQL Server
  • Microsoft DNS Services
  • System Center Operations Manager (SCOM) (optional for centralized system monitoring)
 
Design Considerations
 
This section will review DNS, Microsoft Exchange, Microsoft Office SharePoint Server and Smart Access policy enforcement design considerations.
 
DNS Resolution
If the Advanced Access Control server is not a DNS server, any resource not accessed through the web proxy must be resolvable by the Access Gateway appliance. It is necessary to configure DNS server settings and suffixes on any Citrix Access Gateway appliance.
 
Exchange and Outlook

If supporting Exchange and Outlook synchronization is a requirement, it may be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option is to configure static ports for the Exchange Server service.
 
 
Microsoft Office SharePoint Server can be displayed as a web resource by configuring the Microsoft Office SharePoint Server web resource to bypass the Citrix web proxy. Citrix’ web proxy is not designed to rewrite Microsoft Office SharePoint Server pages. 
 
 
If an organization wishes to enforce SmartAccess policies, network traffic between the user and the data security domains must flow through a Citrix Access Gateway Standard Edition appliance. Each workstation must have a Citrix Secure Access client installed.
 
The next section will review system design strategies. The first section will review a remote access design with a Citrix Access Gateway Standard Edition appliance placed in a DMZ. The second section will review an internal access design with a Citrix Access Gateway Standard Edition appliance placed in a DMZ between the user and data security domains.
 
Remote Access Design Examples

This section will review three different remote access design examples. The difference between the three designs is how the Citrix Access Gateway Standard Edition’ ethernet ports (interface 0 and interface 1) are used and which networks or vlans the ethernet ports are placed in.
 
The first example will use one ethernet port (interface 0). When using one ethernet port it is necessary to create meticulous firewall rules to allow traffic to flow from the Citrix Access Gateway Standard Edition appliance, which is placed in a DMZ to each desired resource in the data center.
 
The second example uses both ethernet ports (interface 0 and interface 1). In the second example the Citrix Access Gateway Standard Edition’ ethernet ports (interface 0 and interface 1) straddle the DMZ. Straddling a DMZ with two ethernet ports works without any changes to the existing firewall configurations, effectively routing and filtering traffic “around” the DMZ through the Citrix Access Gateway Standard Edition appliance.
 
Straddling a DMZ is typically not an option for most organizations, because the ethernet port placement seriously reduces the DMZ’ ability to contain and control traffic. Another downside to straddling the DMZ is that the second NIC is placed in the data center network, which eliminates the ability to perform deep packet inspection on the traffic from the second NIC.
 
The third example places both Ethernet ports interface 0 and interface 1 in the DMZ. Interface 0 is used as the external NAT address while interface 1 is used for communication to the data center resources. This example gives InfoSec the ability to create meticulous firewall rules on the second NIC and allow deep packet inspection to be performed on interface 1.
 
The design examples presented in the following sections follow Enterprise Security Architecture design principles. Each network shown in each design example will fall within one of three security domains; the data, the user and the transport security domain. Let's review the securitydomains before we evaluate the design examples.
 
Figure 1.3 shows each of the three security domains referenced throughout this publication.
 
 
 
The data security domain is represented in the figure 1.1 as two isolated networks, the data center network and the DMZ network. The data center network is hosting the IT infrastructure and the DMZ is hosting a Citrix Access Gateway Standard Edition appliance. The user security domain is represented in Figure 1.1 as an isolated network where the end users and their network devices live. The transport security domain is what connects all of the security domains, i.e. the user and data security domains to each other and to the Internet. Each security domain is managed by its respected security policy. Security domain terms and policies are defined in an organization’s enterprise security architecture.
 
 
In example 1, one ethernet port (interface 0) is used and placed in the DMZ. Example 1 requires meticulous firewall rules to allow traffic to flow from the Citrix Access Gateway Standard Edition appliance, which is placed in a DMZ to each desired resource in the data center security domain.
  • Example 1 requires port 443 to be open to the Internet for remote access.
  • Example 1 requires meticulous firewall rules to allow traffic to flow from the Citrix Access Gateway Standard Edition appliance (interface 0), which is placed in a DMZ to each desired resource in the data center.
  • Intra Machine (appliance and AAC) and Admin Console Communication:
  • Communication on ports 80 or 443 is required for the Citrix Access Gateway Standard Edition appliance to make requests to an Advanced Access Control server.
  • Communication on port 9005 is required by Advanced Access Control to notify a Citrix Access Gateway Standard Edition appliance of configuration changes.
  • Communication on port 9002 is required between the Access Gateway Administration Tool and the Citrix Access Gateway Standard Edition appliance when using the Java console.
  • Communication on port 9001 is required for the Access Gateways Administrative Portal and the Citrix Admin Monitor.
  • If Outlook synchronization is a requirement with example 1, it will be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default, the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option is to configure static Exchange Service ports.
Figure 1.4 shows an appliance in a DMZ using a single ethernet port, interface 0.
 
 
 
In example 2, the Citrix Access Gateway Standard Edition ethernet ports straddle the DMZ. interface 0 is placed in the DMZ and interface 1 is placed in the data center security domain.
 
  • Example 2 will bind interface 0 to port 443, which is open to the Internet. No additional firewall modifications need to be made between the DMZ and the data security domain.
  • When a Citrix Access Gateway Standard Edition appliance straddles a DMZ, the Citrix Access Gateway Standard Edition appliance effectively bridges the DMZ and data center network allowing all traffic to flow through the appliance.
Figure 1.5 shows the Citrix Access Gateway Standard Edition ethernet ports straddling a DMZ.
 
 
 
In example 3, both Citrix Access Gateway Standard Edition ethernet ports (interface 0 and interface 1) are placed in the DMZ. interface 0 is used as the external NATed address while interface 1 is used to pass traffic between the DMZ and the data center resources. This example gives InfoSec the ability to create meticulous firewall rules on the second NIC and allow deep packet inspection to be performed on interface 1.
 
  • Example 3 will bind interface 0 to port 443, which is open to the Internet for remote access.
  • Example 3 will use interface 1 to deliver services from the data center security domain to the DMZ. Meticulous firewall rules will need to be created for interface 1 to allow all desired resources in the data center to be available to interface 1.
  • If Outlook synchronization is a requirement it will be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option would be to configure static Exchange Service ports.
Figure 1.6 shows an appliance in a DMZ where both Ethernet ports interface 0 and interface 1 are used.
 
 
 
An internal access design uses the same strategies as shown in three previous design examples. The difference between the previous examples is the network topology and where the appliance’s ethernet ports are placed.
 
The first example will use one ethernet port (interface 0). When using one ethernet port it is necessary to create meticulous firewall rules to allow traffic to flow from the Citrix Access Gateway Standard Edition appliance, which is placed in a DMZ to each desired resource in the data center.
 
The second example uses both ethernet ports (interface 0 and interface 1). In the second example the Citrix Access Gateway Standard Edition’ ethernet ports (interface 0 and interface 1) straddle the DMZ. Straddling a DMZ with two ethernet ports works without any changes to the existing firewall configurations, effectively routing and filtering traffic “around” the DMZ through the Citrix Access Gateway Standard Edition appliance.
 
Straddling a DMZ is typically not an option for most organizations, because the ethernet port placement seriously reduces the DMZ’ ability to contain and control traffic. Another downside to straddling the DMZ is that the second NIC is placed in the data center network, which eliminates the ability to perform deep packet inspection on the traffic from the second NIC.
 
The third example places both Ethernet ports interface 0 and interface 1 in the DMZ. interface 0 is used as the external NAT address while interface 1 is used for communication to the data center resources. This example gives InfoSec the ability to create meticulous firewall rules on the second NIC and allow deep packet inspection to be performed on interface 1.
 
If an organization has the need to enforce SmartAccess protocol entitlements, network traffic between user and the data center networks must flow through an Access Gateway appliance. In this scenario each end point device must have a Secure Access client. In the event that SmartAccess policies are not required, end points can communicate directly with an Advanced Access Control web server. This scenario does not require any additional configurations on existing switches or routers nor is a Secure Access client required on the workstation.
 
Tip: This may be preferred in thin client and non-windows environments where an Access client cannot be installed. 
 
 
In example 1, one ethernet port (interface 0) is used and placed in the DMZ. Example 1 requires meticulous firewall rules to allow traffic to flow from the Citrix Access Gateway Standard Edition appliance, which is placed in a DMZ to each desired resource in the data center security domain.
  • Example 1 requires port 443 to be open to the Internet for remote access.
  • Example 1 requires meticulous firewall rules to allow traffic to flow from the Citrix Access Gateway Standard Edition appliance (interface 0), which is placed in a DMZ to each desired resource in the data center.
  • Intra Machine (appliance and AAC) and Admin Console Communication:
  • Communication on ports 80 or 443 is required for the Citrix Access Gateway Standard Edition appliance to make requests to an Advanced Access Control server.
  • Communication on port 9005 is required by Advanced Access Control to notify a Citrix Access Gateway Standard Edition appliance of configuration changes.
  • Communication on port 9002 is required between the Access Gateway Administration Tool and the Citrix Access Gateway Standard Edition appliance when using the Java console.
  • Communication on port 9001 is required for the Access Gateways Administrative Portal and the Citrix Admin Monitor.
  • If Outlook synchronization is a requirement with example 1, it will be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default, the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option is to configure static Exchange Service ports.
 
Figure 1.7 shows two appliances each in a DMZ between user and data security domains.
 
 
 
In example 2, the Citrix Access Gateway Standard Edition ethernet ports straddle the DMZ. interface 0 is placed in the DMZ and interface 1 is placed in the data center security domain.
  • Example 2 will bind interface 0 to port 443, which is open to the Internet. No additional firewall modifications need to be made between the DMZ and the data security domain. When a Citrix Access Gateway Standard Edition appliance straddles a DMZ, the Citrix Access Gateway Standard Edition appliance effectively bridges the DMZ and data center network allowing all traffic to flow through the appliance.
Figure 1.8 shows two appliances, the appliance to the right of the data center security domain is straddling the DMZ and both Ethernet ports interface 0 and interface 1 are used.
 
 
 
In example 3, both Citrix Access Gateway Standard Edition ethernet ports (interface 0 and interface 1) are placed in the DMZ. interface 0 is used as the external NATed address while interface 1 is used to pass traffic between the DMZ and the data center resources. This example gives InfoSec the ability to create meticulous firewall rules on the second NIC and allow deep packet inspection to be performed on interface 1.
 
  • Example 3 will bind interface 0 to port 443, which is open to the Internet for remote access.
  • Example 3 will use interface 1 to deliver services from the data center security domain to the DMZ. Meticulous firewall rules will need to be created for interface 1 to allow all desired resources in the data center to be available to interface 1.
  • If Outlook synchronization is a requirement it will be necessary to open a wide range of ports to allow Outlook clients to connect to the Exchange service. By default the Exchange service uses a random available port greater than 1024. This port changes with each reboot of the Exchange server. Another option would be to configure static Exchange Service ports.
 
Figure 1.9 shows an appliance in a DMZ and both Ethernet ports interface 0 and interface 1 are used.
 
 
The next section will review fault tolerance and high availability options for Citrix Access Gateway Advanced Edition.
 
 
Both components in a Citrix Access Gateway Advanced Edition solution, the Citrix Access Gateway Standard Edition appliance and the Advanced Access Control web server, can be configured to provide fault tolerance and high availability by utilizing hardware load balancing. Multiple Access Gateways as well as Advanced Access Control web servers can be load balanced by using a virtual IP (VIP) with the appropriate DNS entries.
 
Figure 2.0 shows a fault tolerant design.
 
 
Indecently Citrix has a hardware load balancing solutions that can be used to load balance Citrix Access Gateway Standard Edition appliances as well as Advanced Access Control web servers.
 
The following list shows the suggested load balancing persistence metrics:
 
From Access Gateway to Advanced Access Control.
  • Layer 7 LB: Cookie Hashing
  • Cookie Name: LogonSessionID
From Secure Access client to Access Gateway.
  • SSL SessionID
The next section will review a Citrix Access Gateway Advanced Edition Standards policy.
 
Purpose
 
The purpose of these standards is to define Enterprise wide Citrix Access Gateway Advanced Edition architecture requirements in order to provide opportunities to meet strategic and tactical Information Technology objectives better. These standards define a template and a set of requirements used to implement and support Citrix Access Gateway Advanced Edition.
 
Scope
 
These standards are applicable for <Company Name> and any <Company Name> business units that support Citrix Access Gateway Advanced Edition technologies.
 
Standards
 
Citrix Access Gateway Advanced Edition Design
 
The Citrix Access Gateway Standard appliance will be placed in the DMZ. Both of the Citrix Access Gateway Standard appliance network interface cards (interface 0 and interface 1) will be placed in the DMZ.
 
  • interface 0 will be the Internet facing NIC. This requires port 443 to be open to the Internet for remote access via interface 0.
  • interface 1 will be used to proxy all traffic between the DMZ and the data security domain. 
<Company Name> will not permit a Citrix Access Gateway Standard appliance’s network interface cards to straddle a DMZ.
 
Load-Balancing
 
Citrix Netscaler will be used to load-balance Citrix Access Gateway Standard appliances and Citrix Advanced Access Control web servers.  
 
Citrix Licensing Server
 
Citrix Licensing Server shall be installed on one dedicated web server.
 
Citrix and Microsoft Licensing
 
  • XenApp Platinum licenses will be used for the Citrix Access Gateway Advanced Edition connections.
  • One “server license” for each Citrix Advanced Access Control server is required.
 
Citrix Advanced Access Control Operating System Installation and Configuration.
 
All Citrix Advanced Access Control instances will be virtual machines.
 
Hardware
 
x86-64
 
CPU
 
1 virtual CPU
 
Memory
 
4 GB of memory
 
Hard Disk
 
One separate 20 GB virtual disk.
 
Operating System
 
Windows Server 2003 Standard x86 Edition shall be used for all Citrix Advanced Access Control  web servers.
 
Installation
 
An automated server build process will be established to maintain consistency and stability and to enable rapid deployment and recovery.
 
Anti-virus Prevention
 
All Citrix Advanced Access Control  web servers will have <Product Name> anti-virus software installed and automated to run at regular intervals.
Anti-virus software and virus pattern files must be kept up to date.
Guidelines from the Desktop Application Security Technical Implementation Guide v 3, release 0, Appendix B. Anti-virus Product Specific Guidance will be used to configure and support <Product Name> anti-virus software.
 
Patch management
 
Patch management will be automated using Windows Server Update Services.
 
Server Security
 
All Citrix Advanced Access Control  web servers will comply with <Company Name> Windows Server Security Policy and Citrix Advanced Access Control Web Server Security Baseline.
 
Citrix Advanced Access Control Installation
 
All Citrix Advanced Access Control web servers will comply with <Company Name> Citrix Advanced Access Control  Web Server Security Baseline.
 
Citrix Advanced Access Control Management
 
Citrix Advanced Access Control web servers will be managed in a separate Organizational Unit (OU) by Group Policy.
 
Client Devices
 
Client devices that connect to the Citrix Access Gateway Advanced Edition system shall comply with <Company Name>'s Platform Architecture Policy. 
 
Monitoring and Reporting
 
Microsoft System Center Operations Manager (SCOM) is the standard monitoring and reporting solution.
 
Security Policy Auditing
 
Security auditing will comply with <Company Name>’s Audit Vulnerability Scan Policy
 
Incident Response
 
All security incidents shall comply with <Company Name>'s Incident Response Policy.
 
Change Management
 
All modifications made to the production Citrix Access Gateway Advanced Edition environment shall comply with <Company Name>'s Change Management Policy.
 
Backups
 
Citrix Advanced Access Control virtual machines will be backed up weekly.
Citrix Access Gateway Standard Edition appliance configurations will be backed up weekly.
Citrix Advanced Access Control SQL database will be backed up weekly.
 
Review Cycle
 
This document will be reviewed annually unless an exception is needed.