Solved

Citrix infrastructure DMZ

Posted on 2012-04-03
11
839 Views
Last Modified: 2012-04-03
Can I ask in releation to the overall architecture of a citrix environment, what part of the citrix architecture would be a public facing server (i.e. in the DMZ), would that just be the CAG (access gateway)? Or could it be other devices too?
0
Comment
Question by:pma111
  • 5
  • 5
11 Comments
 
LVL 25

Accepted Solution

by:
Tony1044 earned 250 total points
ID: 37799923
CAG, NetScaler, Secure Gateway and Web Interface servers could each sit in the DMZ and be internet facing.

The appliances such as CAG & NetScaler are the better ones as these tend to be a hardened Linux OS with a specific function rather than a Windows IIS server.
0
 
LVL 6

Assisted Solution

by:Joshua1909
Joshua1909 earned 250 total points
ID: 37799926
Hi,

The answer is of course, it depends on your configuration. If you already have a DMZ, you can configure your CAG there, and have your XenApp servers in your secure network.
That being said, you do not 'need' a DMZ to configure external access to your farm, or even a CAG for that matter.

Check out this link for a few example scenarios:
http://support.citrix.com/proddocs/topic/access-gateway-92/ag-deploy-in-dmz-con.html


And if you're keen for some reading, this is a guide for XenApp fundamentals that includes a section on configuring ISA for remote access to the XenApp farm (page 39):

http://support.citrix.com/servlet/KbServlet/download/25555-102-666229/XAF6_AdminGuide.pdf



Cheers,
Josh
0
 
LVL 3

Author Comment

by:pma111
ID: 37800094
Thanks both. Can I ask for a real low tech jargon free management summary of what each:

CAG,
NetScaler,
Secure Gateway
Web Interface

Actually does and provides to the user?

Does every citrix setup include all 4 of these "pieces"? Or can some just include 1 or 2?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37800103
So the Citrix Access Gateway is a physical appliance that can host a website that users connect to (usually) from external clients. It handles things like SSL offload and encryption services. There is actually a virtual appliance version call the VPX.

The NetScalers can be thought of a Access Gateways on steroids and introduce many high end features like higher throughput and load balancing.

The Web Interface is used, generally internally, as a point of connection for the clients such as the Citrix Receiver or users can log onto it directly and then launch applications via a web browser - they still need a Citrix client/receiver*.

The Secure Gateway was a software based product in the ilk of the CAGs.

Generally, one or two are used - such as a CAG and a WI.

*The Citrix Receiver is basically the latest client, but there are versions for iDevices, Blackberry etc.
0
 
LVL 3

Author Comment

by:pma111
ID: 37800128
Thats excellent help. Thanks! So when I visit the website I am visiting the gateway, here I enter the login credentials, once authenticated I see many options such as a desktop monitor, when I double click the monitor this seems to launch the citrix session (which I assume is the WI kicking in at that point??). I did install a web client before this would work.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Author Comment

by:pma111
ID: 37800130
Are there seucirty patches applied to each tier of the citrix archtiecture, or are they typically focused one tier?

i.e. would there be security patches for each of:

CAG,
NetScaler,
Secure Gateway
Web Interface
0
 
LVL 3

Author Comment

by:pma111
ID: 37800133
And last one quick but what are the benefits of a CAG over a "secure gateway", i.e. why use one over another?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37800161
Yes, Citrix release patches and updates for most of their products over their life - some more often than others (XenApp far more often than CAG, for example).

The main reason people opt for Secure Gateway tends to be cost. That said, the main reason people choose CAG or NetScaler over CSG is security - anything running on Windows tends to have a perception of being less secure than an appliance based on a Linux core. Certainly you'd need to patch it more often.

Also because the appliances handle the SSL you get a higher throughput and less load on the software based systems. SSL can add 30% more load per user in a Windows environment.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37800163
Oh and:

"Thats excellent help. Thanks! So when I visit the website I am visiting the gateway, here I enter the login credentials, once authenticated I see many options such as a desktop monitor, when I double click the monitor this seems to launch the citrix session (which I assume is the WI kicking in at that point??). I did install a web client before this would work."

Yes - you authenticate to the CAG / Web Interface and then it presents you with the applications. When you click it, it launches via the receiver.
0
 
LVL 3

Author Comment

by:pma111
ID: 37800206
Are there any easy ways to audit versions of citrix products for missing patches, do Citrix give any tools to help admins check they are up to date? I.e. check xenapp is up to date, check CAG is up to date - no missing security patches. If you use CAG with 2-factor and SSL/TLS, what do the vulns typically allow for, if anything?
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 37800217
You can tell if a XenApp server is patched the same as its partners in a farm from the management consoles.

Citrix also offers a page where you can determine which MS security patches shouldn't break anything (quite useful):

http://support.citrix.com/article/CTX132750

I am not aware of any automated service though for the likes of CAG but the updates are generally both quite rare and tend to be a major revision upgrade.

I am not sure what your question re two factor authentication is asked? Sorry.

Generally though, adding in two factor auth doesn't introduce any vulnerabilities from a Citrix level, but if such as happened with RSA a while back and the actual authentication mechanism is potentially broken then of course this will introduce a potential attack profile. On that you just have to keep an eye on, and trust, the vendor to provide feedback in a timely manner.
0

Featured Post

ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now