header title imageheader spacer image

Inside This Issue

    VCS Practice Expertise
    Technology & Integration

  • Infrastructure Design and Implementation
  • LAN & WAN Solutions
  • Wireless & Mobility Solutions
  • Custom Report Writing
  • Custom Interface Services
  • Project Management

 

Technology & Integration Practice Newsletter
Volume 1 Issue 2, Page 1

BETTER SECURITY FOR CITRIX®
By Rahul Sukumar

Are you still using ICA encryption to secure your Citrix connections over the internet? If so, you may be pleased to hear that Citrix now offers two much improved methods of securing traffic over public networks. While ICA provides fairly strong RC5 encryption for data traveling between your Citrix servers and the client device, you’re still susceptible to active attacks, such as man-in-the-middle attacks. Additionally, newer versions of the Citrix Admin Guide specifically warn against using ICA directly over public networks, such as the internet.

To solve this potential security weakness, Citrix has released new products to add an additional layer of protection utilizing SSL. Using SSL to encrypt traffic over the internet has a number of benefits, including heightened security, and better compatibility with ISP’s that may block non-standard ports.  

The first of these products takes the form of an SSL-VPN appliance that sits near the edge of your network called the Citrix Access Gateway. The box provides end-to-end, transparent SSL encryption for your Presentation Server farm, as well as other, non-Citrix applications. Unfortunately, you will pay a premium for a convenient all-in-one device such as this. But securing your Citrix farm with SSL doesn’t have to cost a lot, and in some cases, may cost you nothing at all.

Citrix has developed a small, straightforward application called the Secure Gateway that can be installed on a machine that sits in your DMZ, between your Citrix farm and your internet users. Currently in version 3.0, it provides the same, transparent 128-bit SSL security that the Access Gateway gives you, but can only be used to secure Citrix sessions. What makes this solution particularly appealing is its cost - if you have an active Subscription Advantage agreement, you can download the Secure Gateway for free from your myCitrix site.

The Secure Gateway software can easily be installed on your existing web servers that host the Citrix Web Interface. The Secure Gateway then proxies traffic for both the Web Interface and your Citrix Farm, providing a single point of entry for all internet users. Here’s a brief synopsis of how the Secure Gateway works:

  1. Users open a web browser and enter the URL for your Web Interface site, something like https://citrix.mycompany.com.
  2. The Secure Gateway, which is configured to listen on port 443, accepts this traffic and forwards it to the Web Interface site, typically running on port 80.
  3. User logs in to the Web Interface using the authentication method preferred by your company. Simple username and password is most common, but the Web Interface can also be configured to use more advanced authentication mechanisms such as SecurID tokens or smart cards.
  4. After authenticating, users are presented with a series of icons representing the published applications to which they have been given access.
  5. Once the user chooses an application to launch, the Web Interface sends a request using the client’s ip address to the Secure Ticket Authority (this role is usually performed by one or more Citrix servers in your farm). The ticket authority saves this information and then issues a ticket to the Web Interface.
  6. The Web Interface sends the user an ICA file that contains the FQDN of the Secure Gateway server. This ICA file is launched instantly using the Citrix client on your device and a connection is established to the Secure Gateway.
  7. The Secure Gateway checks to make sure the client’s ticket is valid, and then proceeds to encrypt and decrypt data moving between the client device and the server farm.

Because the Secure Gateway uses SSL, you will have to contend with the standard annoyances that public-key infrastructure solutions create, i.e. distributing the root certificate to your users and/or remembering to renew the Secure Gateway’s certificate when it expires. Additionally, the gateway requires the use of Citrix’s Web Client or Program Neighborhood Agent, so users who are currently connecting via the Program Neighborhood client may need to download and install additional packages.

Gripes aside, the Secure Gateway is one of the easiest and most cost-effective ways to improve the security and usability of your Citrix environment. Connections are just as speedy and stable as standard ICA sessions, and when used with the session reliability feature found in Presentation Server 4, your session stays active and connected even during network interruptions (especially useful for wireless and high-latency connections). The Citrix Secure Gateway provides a secure, scalable method of web-enabling any of your enterprise applications. For more information on this or any other Citrix solutions, please contact me at vcs@getvitalized.com.