Citrix, inadvertant security issue?

If your users use Citrix Secure Access Gateway, am I correct in thinking all they need to do is essentially use a web browser, visit a specific URL and then they will view the company’s servers and desktop session in a browser window? Is there any specific minimum requirements needed on machines that are to use the CAG?

Also, as it is a real benefit to have such a remote access solution in place, do you still have remote working policies? Am I correct in thinking if someone accesses CAG from an un-trusted machine it could have a key logger on it that could be slurping up your user’s domain credentials? How do you deal with this? Do you have approved machines they can use to access CAG or no policy? What about user’s home/personal machines? They could to have a key logger on them? Its one thing having a handy remote access solution but the last thing you want is for this to be a loophole for someone to harvest a companies domain credentials (keys to the doors as we call them).
LVL 3
pma111Asked:
Who is Participating?
 
jvr006Connect With a Mentor Commented:
You have the ability to setup access control with access gateway. It is a different depending on whether you are using standard or enterprise. Take a look at the link below to get an idea of what you can do.

http://support.citrix.com/proddocs/index.jsp?topic=/access-gateway-50-access-controller/ag-cac-policies-access-strategy-con.html



0
 
pma111Author Commented:
Thanks for the link, how does Citrix know what device you are actually connecting with, or is this done on a trust basis, i.e. if user says they are using a corporate device then thats what they are using? Or can citrix diffrentiate between a corproate device and someones home PC or a PC they use in their local coffee shop etc?
0
 
jvr006Commented:
I believe the process is that when you access the web interface, an active-x control will be downloaded that runs an endpoint analysis. You can control access to applications, or in your case, control login screen visibility. You can scan for domain membersip.. I don't know if there is an exact way to determine location though. The endpoint analysis is more about endpint trust then location.

http://support.citrix.com/proddocs/index.jsp?topic=/access-gateway-50-access-controller/ag-cac-endpoint-analysis-scans-creating-tsk.html
0
All Courses

From novice to tech pro — start learning today.