Solved

Citrix, inadvertant security issue?

Posted on 2011-03-14
3
260 Views
Last Modified: 2012-05-11
If your users use Citrix Secure Access Gateway, am I correct in thinking all they need to do is essentially use a web browser, visit a specific URL and then they will view the company’s servers and desktop session in a browser window? Is there any specific minimum requirements needed on machines that are to use the CAG?

Also, as it is a real benefit to have such a remote access solution in place, do you still have remote working policies? Am I correct in thinking if someone accesses CAG from an un-trusted machine it could have a key logger on it that could be slurping up your user’s domain credentials? How do you deal with this? Do you have approved machines they can use to access CAG or no policy? What about user’s home/personal machines? They could to have a key logger on them? Its one thing having a handy remote access solution but the last thing you want is for this to be a loophole for someone to harvest a companies domain credentials (keys to the doors as we call them).
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Accepted Solution

by:
jvr006 earned 125 total points
ID: 35129144
You have the ability to setup access control with access gateway. It is a different depending on whether you are using standard or enterprise. Take a look at the link below to get an idea of what you can do.

http://support.citrix.com/proddocs/index.jsp?topic=/access-gateway-50-access-controller/ag-cac-policies-access-strategy-con.html



0
 
LVL 3

Author Comment

by:pma111
ID: 35129488
Thanks for the link, how does Citrix know what device you are actually connecting with, or is this done on a trust basis, i.e. if user says they are using a corporate device then thats what they are using? Or can citrix diffrentiate between a corproate device and someones home PC or a PC they use in their local coffee shop etc?
0
 
LVL 6

Expert Comment

by:jvr006
ID: 35129918
I believe the process is that when you access the web interface, an active-x control will be downloaded that runs an endpoint analysis. You can control access to applications, or in your case, control login screen visibility. You can scan for domain membersip.. I don't know if there is an exact way to determine location though. The endpoint analysis is more about endpint trust then location.

http://support.citrix.com/proddocs/index.jsp?topic=/access-gateway-50-access-controller/ag-cac-endpoint-analysis-scans-creating-tsk.html
0

Featured Post

SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Check Spoof email 6 70
CertificateAuthority and Firefox 4 41
Database (Access Table) Security Access 8 57
Windows 10 14 36
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question