• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1335
  • Last Modified:

Setting up XenApp with securid \ safeword access

Dear techies, im looking to setup a small hosted environment to securely publish some seamless applications via citrix web portal. I have setup a few environments using Xenapp and secure gateway (in a DMZ). For this project i need to also include securid\safeword access as an additional security layer. From reading it would appear that this is not possible using secure gateway (CSG)? Does this mean i would have to leave the CSG out and allow access directly to the web interface on the internal network if securid is used? I have read that the fundamentals edition allows securid...but once again, is this without the secure gateway? Would i be best to buy the CAG (vpx edition) for securid access? I can then place this in a DMZ to protect the internal web interface? The hosted environment is only for 5 users so looking for a cost effective option without compromising security (if possible!).
thanks in advance
0
jason2302
Asked:
jason2302
1 Solution
 
Dirk KotteSECommented:
NO!
you have not to leave the csg/cag environment!
simple select safeworf or rsa-securid within the Webinterface-settings...
(at my customers i mostly use safeword because this is more simple and with domain-integration nice to manage)
now you have to install the Webinterface agent from RSA or safeword at the webserver and the authentication-server conponent (within your lan).

i think this will also work with the WebInterface from the essentials.

 
0
 
Tony JLead Technical ArchitectCommented:
I would go with SafeWord over RSA any day for a number of reasons:

1) It's cheaper. Considerably, in most cases;
2) It's easier to deploy (there are basically scripts that can alter your Web Interface and CSG sites to incorporate the changes)
3) It has traditionally been easier to deploy with simple AD integration and management
4) The tokens don't have an expiry - check out the back of an RSA token and it has a death by date
5) Subjective, I know, but RSA servers were compromised recently and it's still unknown if the root keys were compromised at all

But in essence, it integrates with CSG/WI and there's no need to bypass any part of it.
0
 
jason2302Author Commented:
thanks guys...i will look at safeword over RSA. Glad to hear i can use the CSG. On other installations i have put the web interface and CSG on the same server in a DMZ (this is for hosted farms accessed purely from the internet). Can i still do this? Some forums are indicating that the web interface needs to be on a domain member server to work. Your thoughts appreciated.
thanks
0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

 
Dirk KotteSECommented:
your "old" setup should work.
my CSG + WI are allways at the same server - within the DMZ - without Domain-membership.
I think you need WI with Domain-binding if you wish to use the additional features from CAG Advanced Edition.
This deployment support file shares, Owa and other nice features - but a simple CSG are too stupid and dont know this :-)
0
 
jason2302Author Commented:
thanks. Another question, since the CAG is available now as a virtual machine at $995 im thinking it is no more expensive than buying a win2k8 license and putting CSG on it. Is the CAG a much better product than CSG? Am i overlooking some licensing costs here...or is the $995 license cost all in? thanks in advance
0
 
Dirk KotteSECommented:
the CAG are much better than CSG and has many more features (depend of the version)
You need also an Server for hosting the "backend WI" - but i is possible to use the WI inside your LAN (i dont need this deployment for simple ICA access)
0
 
Dirk KotteSECommented:
at some point within the future CSG should be supported no longer - at the currend software DVD's the new Version are included :-)
0
 
jason2302Author Commented:
so i could just put the WI on the Xenapp server internally and feed access through from the CAG in the DMZ...without compromising security?
0
 
Dirk KotteSECommented:
thats why i dont like this.
with the features from advanced edition the CAG need also access to the LAN.


0
 
Dirk KotteSECommented:
Citrix eDocs : Deploying Access Gateway with XenApp or XenDesktop
http://support.citrix.com/proddocs/topic/access-gateway-50/ag-50-deploy-xa-xd-con.html
0
 
jason2302Author Commented:
a little confused, the docs say you can install the WI on the CAG in a DMZ? Does the CAG virtual applicance have a WI?
0
 
Dirk KotteSECommented:
no!
you can install CAG and WI in a DMZ!
but not at the same device.
0
 
jason2302Author Commented:
sorry...lost the plot for a minute there. I understand, if i go for CAG over CSG i either need to 1) have an additional server in DMZ, or 2) Have the WI on an existing server...which would have to be on internal LAN.
Which way would you go dkotte? The setup is for 5 users....wondering if the CAG is going to be a bigger administrative overhead? From memory, there's a million policy settings whereas the CSG is simple. Question: Can a single CAG provide access to seperate Citrix Xenapp farms? Wondering if i do setup a CAG if i could use for more than one hosted Xenapp farm
0
 
Dirk KotteSECommented:
i would use csg.
i dont know if cag also support multiple frams like csg.
at the mement we install only 1 cag while installing 20 csg.
0
 
snusgubbenCommented:
Just some more thoughts:

If you go for CAG, you don't need a WI in the DMZ. A CAG (virtual) appliance is more secure than a writable server in DMZ (i.e. you don't need to run Windows update on the host, virus/malware free).

CAG supports multiple farms and domains/forests.

If you don't use Smart Groups and VPNs, there is only the platform license you mentioned. The platform license covers unlimited access to WIs and XenDesktops.

Regarding RSA or Safeword, we're considering changing to smspasscode.
http://www.smspasscode.com/

0
 
Dirk KotteSECommented:
with CAG you also need a WI.
if you wish to use the Wi at the XenApp servers you have to use CAG for authentication and you lose some options for the two factor authentication.

we prefer this deployment scenario:
http://support.citrix.com/proddocs/topic/access-gateway-50/ag-50-integrate-wi-dmz-behind-ag-con.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now