Avatar of trojan81
trojan81
 asked on

citrix web interface and access gateway

Citrix experts,

Can someone tell me some of the benefits with "front ending" the web interface with an access gateway for users connecting from outside?

I that's how it should be done in order to provide remote users access to the WI when they are out of the office. But technically, could it work without an access gateway?

Some benefits I see is that the Access gateway can do the authentication and provide SSO into the WI...anything else?
CitrixRemote Access

Avatar of undefined
Last Comment
Coralon

8/22/2022 - Mon
Sekar Chinnakannu

yes web interface will if you are using vpn to connect to your network. here is the few benifits of access gateway http://www.cns-service.com/citrix/citrix-access-gateway.aspx
ASKER CERTIFIED SOLUTION
Ayman Bakr

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
globalwebapps

There are many ways to handle authentication with or without Citrix. Depends on the environment and purpose of the web interface. For example, we provide our users multiple systems: Those applications that are only loosely coupled to our networks, and those that are fully integrated. For an e-commerce platform, Citrix wouldn't make much sense as it's likely to get in the way of access. A bug tracking system deployed outside our LAN, we would likely  authenticate via encryption/salting/hashing etc. In both cases, data that we may need to share with our internally systems could be handled via SFTP or through an API. On the other hand, if we have an internal tool that stores sensitive data (such as HIPPA/HITECH-oriented) then users outside of our networks would be forced to Citrix in. Whether it's a web interface or Access interface wouldn't matter in that case. My rule of thumb is that you can find a reasonable way around using Citrix, do it. Citrix can be slow and support a headache (not to mention very expensive!). However, if someone's remoting into your LAN, then Citrix is really the way to go.
basraj

You can always use traditional method of configuring AGW with WI. You can place AGW in between Firewall, so AGW can either authenticate the users and send it to WI which is in internal network or instead of authenticating, AGW can directly forward the request to WI in the internal network.

Again if you still want to have WI instead  of AGW, you can place it in Firewall do a NAT, and requests are sent to internal web interface. Ext Ips gets translated in the Firewall, so you don't have to expose internal server IPs. If you cannot use AGW, try secure gateway, secure the connectin with SSL.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
SOLUTION
Coralon

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
trojan81

ASKER
Everyone, I appreciate your responses. Maybe I didnt ask my question correctly because it seemed like it was completely missed except for Mutawadi's response.

Yes I do have Netscaler front ended the WI for remote users. I was just asking for more "benefits" of having it setup that way. Suppose you have it setup this way too and someone asked you can it be accomplished without Netscaler and just have WI by itself.  Of course we wouldnt think of doing it that way so this is just a hypothetical.

If I install an SSL cert on the WI server, and have users connect in from outside, then that would make the SSL connection to the WI. I can also have the users authenticate at the WI. So no need for the Netscaler for those purposes. Let's hear what other benefits does front ended it with CSG or Netscaler give me?
Ayman Bakr

Specifically NetScaler would have the following non-exhaustive advantages:

- Integration of the SSL VPN functionality of Access Gateway, Enterprise edition with Citrix SmartAccess; available when you puchase the AG universal client licenses.

- Intelligent hardware layer 4 (protocol and port number) load balancing, ensuring optimal distribution of traffic among application servers

- Global load balancing to manage multi-sites.

- Implements multiple TCP optimization to improve the network traffic leading to accelerated application performance

- Hardware based SSL acceleration reducing CPU utilization on servers. This greatly reduces the processing intensity of SSL connection and bulk encryption of web servers.
Coralon

Not being funny.. but the question is a complete waste of time.  If you *already* have a netscaler, then there is absolutely no reason to have a CSG.  

Coralon
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
trojan81

ASKER
Coralon,
When I say "access gateway" I'm referring to Netscaler.  You can have a Netscaler and not have Access Gateway.
Coralon

I know plenty about the Netscalers, not even vaguely a question.  You mentioned a CSG (Citrix Secure Gateway)
Let's hear what other benefits does front ended it with CSG or Netscaler give me?

That's why I said it would be a waste of time if you had a Netscaler.  If you had the Netscaler, you would add the AG functionality rather than bother with a CSG.

However when it comes to a CAG vs. Netscaler w/AG, the CAG is coming to EOL soon, and Netscaler w/AG will be your only option soon.

Coralon