Citrix CAG from corporate machines/logistics

I have got to do a quick assessment of what could go wrong in our new ways of working. We have recently become a departmental partnership whereby we can be doing work for 2 different businesses – totally separate networks. Both have a citrix access gateway facility. My understanding is it’s basically just a case of vising a URL and entering domain credentials (neither currently use 2-factor) to use a CAG.

At present each user has a dedicated PC joined to both businesses networks for use. Each user needs to be able to access the other business file servers and vice versa.

1) What will be needed on the PC’s at both business to be able to access the others CAG

2) Can you think of any internal IT administrative concerns/roadblocks that would prevent users accessing the other businesses CAG from the other businesses PC’s – however far fetched (i.e. install of software to make CAG work, bandwidth using CAG, licence issues incurred by the business to allow facility to another companies system etc etc)

Im basically coming from you, as network admin A, get a request that 10 users need to access citrix CAG for another company from your machines in your network. What are your concerns/qualms
LVL 3
pma111Asked:
Who is Participating?
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
1. Citrix Receiver Client

2. Firewalls
0
 
pma111Author Commented:
Can you elaborate on "firewalls"?
0
 
pma111Author Commented:
Isnt user X on network X accessing CAG Y for business Y just using standard internet port as all your basically doing is accessing a webpage. So if user X on network X can access www.google.com shouldnt that mean they can also access business Y's CAG?
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
Jayanta SarmahCommented:
Well , as far as I understood from your above details is :

1) 10 user need access to CAG for a company or network .

2) those 10 users are already in a network with connectivity to another company CAG.

Whether they can use both the CAG ?

Yes , they can use as long as they are able to reach the CAG on port 443 . They will use different URL's for different CAGs, users will reach CAGs on port 443 from where the traffic will be routed to the company network as configured in the CAG.

What are the concerns :

1) are they able to connect to both the CAG on port 443 (that you have to verify as from network perspective)
2) Both CAG are of similar versions , not configured to allow connection only through specific  Access gateway plugin ( that also can be overcome by installing both but may create issues although we had never tested that kind of a senerio)
3) Both CAG are configured with these users groups ( that I am sure teh CAG administrator will take care)

I hope that answers your query .. if not please confirm what exactly you are looking for ..

Cheers..
0
 
pma111Author Commented:
Networking side of things is not an area of strength.

So say I access https://12345's-CAG from another network, i.e. home wireless, cafe shop, other companies private network - I am accessing that on port 443? But by the very fact that they (12345) offer a CAG facility to their own staff, doesnt that mean port 443 will be open to the Internet anyway?

Or from the private network do they need to allow port 443 traffic "out" to allow those inside their firewall to be able to get to that external networks CAG?
0
 
pma111Author Commented:
You will have to give me a real idiots guide on what ports need to be open on both companies firewalls (company Y and company X) when allowing user X in private network X to access company Y's CAG.
0
 
Jayanta SarmahCommented:
it depends on the CAG configuration , for security even CAG can be configured to verify END POINT ANALYSIS policies , RSA token , Secure client certificate etc...

As you confirmed that you are a network admin and just want to know the concerns .. thats all are the concerns as long as they are able to reach CAG rest things can be configured in the CAG/user desktop  to provide access to these users for example client certificate/issue RSA tokens /Desktop configured to match endpoint policies if at all required.

If the other company has configured these kind of securities then the CAG Admin will guide you what extra you will need.

Regarding the port 443 open from internet , its not always opened also depends on CAG placing too , what kind of firewall the packet has to cross before reaching the CAG. Every organisation may not allow external connections
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
if you have firewalls on your site configured you will not be able to access CAG, also if you use Proxy based Internet Caches.
0
 
Jayanta SarmahCommented:
only port you are looking for is 443, I am expecting these users to be end users not CAG admin. Only for CAG console access ( for managing /configuring CAG) you need port 9001/9001 port opened from user location to the CAG.
0
 
pma111Author Commented:
Sorry to sound dumb

But in this scenario, user X from org network X needs to access org Y's CAG

What ports need to be open on both org X's and org Y's firewalls. I assume theres a "permitted out" port, i.e. staff need to access an external sites CAG so the firewall must let port 443 traffic "out" to enable them to create a connection.

So would by default port 443 not be permitted to allow "out" connections from internal staff?
0
 
pma111Author Commented:
Yes end users not CAG admins
0
 
pma111Author Commented:
I can access 1 of the CAG's (org Y) from the others network (org X), just tried. So I assume that means one of the networks (org X) allows "outgoing" port 443 connections?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Correct. I think you are overcomplicating this. Connecting to Citrix are very easy, Install the Client and Connect!

other than installing the Client which is required, that's all there is to it! It does not touch the PC, other than the installation!

if it does not connect, firewall or Internet Proxy issue on your LAN!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.