?
Solved

Citrix CAG from corporate machines/logistics

Posted on 2012-09-21
13
Medium Priority
?
713 Views
Last Modified: 2012-09-25
I have got to do a quick assessment of what could go wrong in our new ways of working. We have recently become a departmental partnership whereby we can be doing work for 2 different businesses – totally separate networks. Both have a citrix access gateway facility. My understanding is it’s basically just a case of vising a URL and entering domain credentials (neither currently use 2-factor) to use a CAG.

At present each user has a dedicated PC joined to both businesses networks for use. Each user needs to be able to access the other business file servers and vice versa.

1) What will be needed on the PC’s at both business to be able to access the others CAG

2) Can you think of any internal IT administrative concerns/roadblocks that would prevent users accessing the other businesses CAG from the other businesses PC’s – however far fetched (i.e. install of software to make CAG work, bandwidth using CAG, licence issues incurred by the business to allow facility to another companies system etc etc)

Im basically coming from you, as network admin A, get a request that 10 users need to access citrix CAG for another company from your machines in your network. What are your concerns/qualms
0
Comment
Question by:pma111
  • 7
  • 3
  • 3
13 Comments
 
LVL 124

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 1000 total points
ID: 38421336
1. Citrix Receiver Client

2. Firewalls
0
 
LVL 3

Author Comment

by:pma111
ID: 38421340
Can you elaborate on "firewalls"?
0
 
LVL 3

Author Comment

by:pma111
ID: 38421350
Isnt user X on network X accessing CAG Y for business Y just using standard internet port as all your basically doing is accessing a webpage. So if user X on network X can access www.google.com shouldnt that mean they can also access business Y's CAG?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 7

Assisted Solution

by:Jayanta Sarmah
Jayanta Sarmah earned 1000 total points
ID: 38421363
Well , as far as I understood from your above details is :

1) 10 user need access to CAG for a company or network .

2) those 10 users are already in a network with connectivity to another company CAG.

Whether they can use both the CAG ?

Yes , they can use as long as they are able to reach the CAG on port 443 . They will use different URL's for different CAGs, users will reach CAGs on port 443 from where the traffic will be routed to the company network as configured in the CAG.

What are the concerns :

1) are they able to connect to both the CAG on port 443 (that you have to verify as from network perspective)
2) Both CAG are of similar versions , not configured to allow connection only through specific  Access gateway plugin ( that also can be overcome by installing both but may create issues although we had never tested that kind of a senerio)
3) Both CAG are configured with these users groups ( that I am sure teh CAG administrator will take care)

I hope that answers your query .. if not please confirm what exactly you are looking for ..

Cheers..
0
 
LVL 3

Author Comment

by:pma111
ID: 38421373
Networking side of things is not an area of strength.

So say I access https://12345's-CAG from another network, i.e. home wireless, cafe shop, other companies private network - I am accessing that on port 443? But by the very fact that they (12345) offer a CAG facility to their own staff, doesnt that mean port 443 will be open to the Internet anyway?

Or from the private network do they need to allow port 443 traffic "out" to allow those inside their firewall to be able to get to that external networks CAG?
0
 
LVL 3

Author Comment

by:pma111
ID: 38421386
You will have to give me a real idiots guide on what ports need to be open on both companies firewalls (company Y and company X) when allowing user X in private network X to access company Y's CAG.
0
 
LVL 7

Expert Comment

by:Jayanta Sarmah
ID: 38421419
it depends on the CAG configuration , for security even CAG can be configured to verify END POINT ANALYSIS policies , RSA token , Secure client certificate etc...

As you confirmed that you are a network admin and just want to know the concerns .. thats all are the concerns as long as they are able to reach CAG rest things can be configured in the CAG/user desktop  to provide access to these users for example client certificate/issue RSA tokens /Desktop configured to match endpoint policies if at all required.

If the other company has configured these kind of securities then the CAG Admin will guide you what extra you will need.

Regarding the port 443 open from internet , its not always opened also depends on CAG placing too , what kind of firewall the packet has to cross before reaching the CAG. Every organisation may not allow external connections
0
 
LVL 124
ID: 38421433
if you have firewalls on your site configured you will not be able to access CAG, also if you use Proxy based Internet Caches.
0
 
LVL 7

Expert Comment

by:Jayanta Sarmah
ID: 38421443
only port you are looking for is 443, I am expecting these users to be end users not CAG admin. Only for CAG console access ( for managing /configuring CAG) you need port 9001/9001 port opened from user location to the CAG.
0
 
LVL 3

Author Comment

by:pma111
ID: 38421470
Sorry to sound dumb

But in this scenario, user X from org network X needs to access org Y's CAG

What ports need to be open on both org X's and org Y's firewalls. I assume theres a "permitted out" port, i.e. staff need to access an external sites CAG so the firewall must let port 443 traffic "out" to enable them to create a connection.

So would by default port 443 not be permitted to allow "out" connections from internal staff?
0
 
LVL 3

Author Comment

by:pma111
ID: 38421471
Yes end users not CAG admins
0
 
LVL 3

Author Comment

by:pma111
ID: 38421477
I can access 1 of the CAG's (org Y) from the others network (org X), just tried. So I assume that means one of the networks (org X) allows "outgoing" port 443 connections?
0
 
LVL 124
ID: 38421511
Correct. I think you are overcomplicating this. Connecting to Citrix are very easy, Install the Client and Connect!

other than installing the Client which is required, that's all there is to it! It does not touch the PC, other than the installation!

if it does not connect, firewall or Internet Proxy issue on your LAN!
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last article we focus in how to VMware: How to create and use VMs TAGs – Part 1 so before follow this article and perform the next tasks, you should read the first article how to create the TAG before using them in Veeam Backup Jobs.
Working from home is a dream for many people who aren’t happy about getting up early, going to the office, and spending long hours at work. There are lots of benefits of remote work for employees.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question