Solved

Citrix infrastructure DMZ

Posted on 2012-04-03
11
841 Views
Last Modified: 2012-04-03
Can I ask in releation to the overall architecture of a citrix environment, what part of the citrix architecture would be a public facing server (i.e. in the DMZ), would that just be the CAG (access gateway)? Or could it be other devices too?
0
Comment
Question by:pma111
  • 5
  • 5
11 Comments
 
LVL 25

Accepted Solution

by:
Tony1044 earned 250 total points
ID: 37799923
CAG, NetScaler, Secure Gateway and Web Interface servers could each sit in the DMZ and be internet facing.

The appliances such as CAG & NetScaler are the better ones as these tend to be a hardened Linux OS with a specific function rather than a Windows IIS server.
0
 
LVL 6

Assisted Solution

by:Joshua1909
Joshua1909 earned 250 total points
ID: 37799926
Hi,

The answer is of course, it depends on your configuration. If you already have a DMZ, you can configure your CAG there, and have your XenApp servers in your secure network.
That being said, you do not 'need' a DMZ to configure external access to your farm, or even a CAG for that matter.

Check out this link for a few example scenarios:
http://support.citrix.com/proddocs/topic/access-gateway-92/ag-deploy-in-dmz-con.html


And if you're keen for some reading, this is a guide for XenApp fundamentals that includes a section on configuring ISA for remote access to the XenApp farm (page 39):

http://support.citrix.com/servlet/KbServlet/download/25555-102-666229/XAF6_AdminGuide.pdf



Cheers,
Josh
0
 
LVL 3

Author Comment

by:pma111
ID: 37800094
Thanks both. Can I ask for a real low tech jargon free management summary of what each:

CAG,
NetScaler,
Secure Gateway
Web Interface

Actually does and provides to the user?

Does every citrix setup include all 4 of these "pieces"? Or can some just include 1 or 2?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37800103
So the Citrix Access Gateway is a physical appliance that can host a website that users connect to (usually) from external clients. It handles things like SSL offload and encryption services. There is actually a virtual appliance version call the VPX.

The NetScalers can be thought of a Access Gateways on steroids and introduce many high end features like higher throughput and load balancing.

The Web Interface is used, generally internally, as a point of connection for the clients such as the Citrix Receiver or users can log onto it directly and then launch applications via a web browser - they still need a Citrix client/receiver*.

The Secure Gateway was a software based product in the ilk of the CAGs.

Generally, one or two are used - such as a CAG and a WI.

*The Citrix Receiver is basically the latest client, but there are versions for iDevices, Blackberry etc.
0
 
LVL 3

Author Comment

by:pma111
ID: 37800128
Thats excellent help. Thanks! So when I visit the website I am visiting the gateway, here I enter the login credentials, once authenticated I see many options such as a desktop monitor, when I double click the monitor this seems to launch the citrix session (which I assume is the WI kicking in at that point??). I did install a web client before this would work.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 3

Author Comment

by:pma111
ID: 37800130
Are there seucirty patches applied to each tier of the citrix archtiecture, or are they typically focused one tier?

i.e. would there be security patches for each of:

CAG,
NetScaler,
Secure Gateway
Web Interface
0
 
LVL 3

Author Comment

by:pma111
ID: 37800133
And last one quick but what are the benefits of a CAG over a "secure gateway", i.e. why use one over another?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37800161
Yes, Citrix release patches and updates for most of their products over their life - some more often than others (XenApp far more often than CAG, for example).

The main reason people opt for Secure Gateway tends to be cost. That said, the main reason people choose CAG or NetScaler over CSG is security - anything running on Windows tends to have a perception of being less secure than an appliance based on a Linux core. Certainly you'd need to patch it more often.

Also because the appliances handle the SSL you get a higher throughput and less load on the software based systems. SSL can add 30% more load per user in a Windows environment.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37800163
Oh and:

"Thats excellent help. Thanks! So when I visit the website I am visiting the gateway, here I enter the login credentials, once authenticated I see many options such as a desktop monitor, when I double click the monitor this seems to launch the citrix session (which I assume is the WI kicking in at that point??). I did install a web client before this would work."

Yes - you authenticate to the CAG / Web Interface and then it presents you with the applications. When you click it, it launches via the receiver.
0
 
LVL 3

Author Comment

by:pma111
ID: 37800206
Are there any easy ways to audit versions of citrix products for missing patches, do Citrix give any tools to help admins check they are up to date? I.e. check xenapp is up to date, check CAG is up to date - no missing security patches. If you use CAG with 2-factor and SSL/TLS, what do the vulns typically allow for, if anything?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37800217
You can tell if a XenApp server is patched the same as its partners in a farm from the management consoles.

Citrix also offers a page where you can determine which MS security patches shouldn't break anything (quite useful):

http://support.citrix.com/article/CTX132750

I am not aware of any automated service though for the likes of CAG but the updates are generally both quite rare and tend to be a major revision upgrade.

I am not sure what your question re two factor authentication is asked? Sorry.

Generally though, adding in two factor auth doesn't introduce any vulnerabilities from a Citrix level, but if such as happened with RSA a while back and the actual authentication mechanism is potentially broken then of course this will introduce a potential attack profile. On that you just have to keep an eye on, and trust, the vendor to provide feedback in a timely manner.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Finding out Citrix Client version remotely 9 53
Need a podcast plan 3 78
Reading registry key from HKCU and not hklm 10 94
How to connect to Windows 8 machine from a mac 4 13
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Citrix XenDesktop, gold image, VMware, vSphere.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now