Solved

Citrix, inadvertant security issue?

Posted on 2011-03-14
3
255 Views
Last Modified: 2012-05-11
If your users use Citrix Secure Access Gateway, am I correct in thinking all they need to do is essentially use a web browser, visit a specific URL and then they will view the company’s servers and desktop session in a browser window? Is there any specific minimum requirements needed on machines that are to use the CAG?

Also, as it is a real benefit to have such a remote access solution in place, do you still have remote working policies? Am I correct in thinking if someone accesses CAG from an un-trusted machine it could have a key logger on it that could be slurping up your user’s domain credentials? How do you deal with this? Do you have approved machines they can use to access CAG or no policy? What about user’s home/personal machines? They could to have a key logger on them? Its one thing having a handy remote access solution but the last thing you want is for this to be a loophole for someone to harvest a companies domain credentials (keys to the doors as we call them).
0
Comment
Question by:pma111
  • 2
3 Comments
 
LVL 6

Accepted Solution

by:
jvr006 earned 125 total points
ID: 35129144
You have the ability to setup access control with access gateway. It is a different depending on whether you are using standard or enterprise. Take a look at the link below to get an idea of what you can do.

http://support.citrix.com/proddocs/index.jsp?topic=/access-gateway-50-access-controller/ag-cac-policies-access-strategy-con.html



0
 
LVL 3

Author Comment

by:pma111
ID: 35129488
Thanks for the link, how does Citrix know what device you are actually connecting with, or is this done on a trust basis, i.e. if user says they are using a corporate device then thats what they are using? Or can citrix diffrentiate between a corproate device and someones home PC or a PC they use in their local coffee shop etc?
0
 
LVL 6

Expert Comment

by:jvr006
ID: 35129918
I believe the process is that when you access the web interface, an active-x control will be downloaded that runs an endpoint analysis. You can control access to applications, or in your case, control login screen visibility. You can scan for domain membersip.. I don't know if there is an exact way to determine location though. The endpoint analysis is more about endpint trust then location.

http://support.citrix.com/proddocs/index.jsp?topic=/access-gateway-50-access-controller/ag-cac-endpoint-analysis-scans-creating-tsk.html
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now