Solved

Setting up XenApp with securid \ safeword access

Posted on 2011-09-24
16
1,294 Views
Last Modified: 2012-05-12
Dear techies, im looking to setup a small hosted environment to securely publish some seamless applications via citrix web portal. I have setup a few environments using Xenapp and secure gateway (in a DMZ). For this project i need to also include securid\safeword access as an additional security layer. From reading it would appear that this is not possible using secure gateway (CSG)? Does this mean i would have to leave the CSG out and allow access directly to the web interface on the internal network if securid is used? I have read that the fundamentals edition allows securid...but once again, is this without the secure gateway? Would i be best to buy the CAG (vpx edition) for securid access? I can then place this in a DMZ to protect the internal web interface? The hosted environment is only for 5 users so looking for a cost effective option without compromising security (if possible!).
thanks in advance
0
Comment
Question by:jason2302
16 Comments
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 36595864
NO!
you have not to leave the csg/cag environment!
simple select safeworf or rsa-securid within the Webinterface-settings...
(at my customers i mostly use safeword because this is more simple and with domain-integration nice to manage)
now you have to install the Webinterface agent from RSA or safeword at the webserver and the authentication-server conponent (within your lan).

i think this will also work with the WebInterface from the essentials.

 
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 36597956
I would go with SafeWord over RSA any day for a number of reasons:

1) It's cheaper. Considerably, in most cases;
2) It's easier to deploy (there are basically scripts that can alter your Web Interface and CSG sites to incorporate the changes)
3) It has traditionally been easier to deploy with simple AD integration and management
4) The tokens don't have an expiry - check out the back of an RSA token and it has a death by date
5) Subjective, I know, but RSA servers were compromised recently and it's still unknown if the root keys were compromised at all

But in essence, it integrates with CSG/WI and there's no need to bypass any part of it.
0
 

Author Comment

by:jason2302
ID: 36602350
thanks guys...i will look at safeword over RSA. Glad to hear i can use the CSG. On other installations i have put the web interface and CSG on the same server in a DMZ (this is for hosted farms accessed purely from the internet). Can i still do this? Some forums are indicating that the web interface needs to be on a domain member server to work. Your thoughts appreciated.
thanks
0
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 36719142
your "old" setup should work.
my CSG + WI are allways at the same server - within the DMZ - without Domain-membership.
I think you need WI with Domain-binding if you wish to use the additional features from CAG Advanced Edition.
This deployment support file shares, Owa and other nice features - but a simple CSG are too stupid and dont know this :-)
0
 

Author Comment

by:jason2302
ID: 36719222
thanks. Another question, since the CAG is available now as a virtual machine at $995 im thinking it is no more expensive than buying a win2k8 license and putting CSG on it. Is the CAG a much better product than CSG? Am i overlooking some licensing costs here...or is the $995 license cost all in? thanks in advance
0
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 36719286
the CAG are much better than CSG and has many more features (depend of the version)
You need also an Server for hosting the "backend WI" - but i is possible to use the WI inside your LAN (i dont need this deployment for simple ICA access)
0
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 36719295
at some point within the future CSG should be supported no longer - at the currend software DVD's the new Version are included :-)
0
 

Author Comment

by:jason2302
ID: 36719303
so i could just put the WI on the Xenapp server internally and feed access through from the CAG in the DMZ...without compromising security?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 36719404
thats why i dont like this.
with the features from advanced edition the CAG need also access to the LAN.


0
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 36719503
Citrix eDocs : Deploying Access Gateway with XenApp or XenDesktop
http://support.citrix.com/proddocs/topic/access-gateway-50/ag-50-deploy-xa-xd-con.html
0
 

Author Comment

by:jason2302
ID: 36719541
a little confused, the docs say you can install the WI on the CAG in a DMZ? Does the CAG virtual applicance have a WI?
0
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 36719565
no!
you can install CAG and WI in a DMZ!
but not at the same device.
0
 

Author Comment

by:jason2302
ID: 36719622
sorry...lost the plot for a minute there. I understand, if i go for CAG over CSG i either need to 1) have an additional server in DMZ, or 2) Have the WI on an existing server...which would have to be on internal LAN.
Which way would you go dkotte? The setup is for 5 users....wondering if the CAG is going to be a bigger administrative overhead? From memory, there's a million policy settings whereas the CSG is simple. Question: Can a single CAG provide access to seperate Citrix Xenapp farms? Wondering if i do setup a CAG if i could use for more than one hosted Xenapp farm
0
 
LVL 23

Expert Comment

by:Dirk Kotte
ID: 36719791
i would use csg.
i dont know if cag also support multiple frams like csg.
at the mement we install only 1 cag while installing 20 csg.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 36817833
Just some more thoughts:

If you go for CAG, you don't need a WI in the DMZ. A CAG (virtual) appliance is more secure than a writable server in DMZ (i.e. you don't need to run Windows update on the host, virus/malware free).

CAG supports multiple farms and domains/forests.

If you don't use Smart Groups and VPNs, there is only the platform license you mentioned. The platform license covers unlimited access to WIs and XenDesktops.

Regarding RSA or Safeword, we're considering changing to smspasscode.
http://www.smspasscode.com/

0
 
LVL 23

Accepted Solution

by:
Dirk Kotte earned 500 total points
ID: 36947627
with CAG you also need a WI.
if you wish to use the Wi at the XenApp servers you have to use CAG for authentication and you lose some options for the two factor authentication.

we prefer this deployment scenario:
http://support.citrix.com/proddocs/topic/access-gateway-50/ag-50-integrate-wi-dmz-behind-ag-con.html
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now