direct link to 3109.ppt
DESCRIPTION
TRANSCRIPT
How to Configure Citrix Access Gateway for Advanced Access Control
Aaron Cockerill, Dir. Product ManagementPatrick Boucher, Senior Sales EngineerHopeful Owitti, Senior Architect
2 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway for Advanced Access Control
2 Advanced Access Control Console
3 Examining the Endpoint Security SDK
4 Conclusion
3 © 2005 Citrix Systems, Inc.—All rights reserved.
Citrix Delivers Access Security
Perimeter Security Establishes a barrier to keep malicious attacks from affecting the productivity of the organization
Access Security Provides regulated access to the business resources users need to perform their duties
4 © 2005 Citrix Systems, Inc.—All rights reserved.
Secure Access Challenges
• Anywhere access to business applications and data
• Expanding access to more users and device types cost-effectively
• Prevent downtime and business loss from security breaches
• Meet or exceed security, privacy and regulatory concerns
Mobile PDA
Kiosks
Partner Machine
Corporate Laptop
Home Computer
5 © 2005 Citrix Systems, Inc.—All rights reserved.
Endpoint security, identification, and integrity validation
The Customer Problems
Centralized access control to all IT
resources
Hardened Appliance
Control over how information and
applications can be used
Internet
Mobile PDA
Home Computer
Partners
Fir
ewal
l
File Servers
Web or App Servers
CPS ApplicationsLocal Users
AccessGateway
AdvancedAccess Control
Corporate Laptop
Email Servers
Desktops & Phones
Fir
ewal
l
Consistent user experience
Consistent user experience
• Bandwidth• Latency• Device
idiosyncrasies
Cannot access from behind firewalls
Access from widely varying devices
Minimize re-authentication on re-connect
Need access to all internal IT resources
6 © 2005 Citrix Systems, Inc.—All rights reserved.
Citrix Access Strategy
EnterpriseSingleSign-On
IntegratedApproach
SSL VPN
Access Rights Management
EnterpriseSingle
Sign-On
End-PointSecurity
Real-TimeCollaboration
User Assistance
Application Delivery
Piece-Part Approach
Security, Interoperability& Management Gaps
Visibility & Reporting
SSL VPNAccess Rights Management
End-PointSecurity
Real-TimeCollaboration
UserAssistance
Application Delivery
Secure, Integrated, Flexible & Extensible
7 © 2005 Citrix Systems, Inc.—All rights reserved.
Product Components
Access Gateway Advanced Access Control
+• Access Gateway hardened appliance
in DMZ • Enables end-to-end secure
communication via SSL• Authentication point• Enforces policies generated by
Advanced Access Control
• Deployed in a secured network• Deployed on Windows Server platform• Centralizes administration, management &
policy based access control• Centralized reporting and auditing• Manages endpoint analysis and client
delivery• Extends access to more devices and
scenarios• Advanced policy engine with action control
8 © 2005 Citrix Systems, Inc.—All rights reserved.
Advanced Access ControlFeatures & Benefits
Feature Function Benefit
Policy-based Access and Action Control
Detect and adapt policies based on access scenario to control the flow of the organization’s sensitive data
• Granular access controls• Intellectual property protection• Extend user’s access to more
situations• Enhances security without
effecting the user experience
Endpoint Analysis Determines client device status for access policies and provides device remediation.
• Enables corporate and regulatory compliance
• Extensible with industry standard development tools to meet customer needs
Browser-only Access Access with any web browser on any device to web sites, files, and email
• No additional client components• Ubiquitous access
Mobile Device Awareness Re-factored email and file interface for PDAs and small-form factor devices
• Seamless device transition• User productivity
Extended Access Control for Presentation Server
Policy-based control of Presentation Server using end-point analysis and network location awareness
• Address regulatory and security concerns
• Enhances Web Interface
Centralized Logging and Trend Reporting
Provide sophisticated usage data for troubleshooting and planning
• Improved management• Easy integration with 3rd party tools
9 © 2005 Citrix Systems, Inc.—All rights reserved.
SmartAccess Technology
Extensive policy-based sense and response
–Automatically reconfigures the appropriate level of access as users roam between devices, locations and connections
–Advanced, extensible end-point security policies and analysis
–Action control defines what the user can access, and what actions they can take
10 © 2005 Citrix Systems, Inc.—All rights reserved.
Analyze Access Scenario :• Analyze endpoint to ensure connections are:
– Safe – ensure connection will not harm corporate infrastructure– Trusted – analyze user, machine, and network identity to ensure the connection is
being made as claimed– Secure – ensure malicious parties cannot attack corporate infrastructure from
connecting devices
• Provide an extensible architecture (via SDK) to allow customers and 3rd parties to easily create custom scans
SmartAccess: Overview
Analyze Access Scenario
Machine Identity:• NetBIOS name• Domain Membership• MAC address
Machine Configuration• Operating System• Anti-Virus System• Personal Firewall• Browser
Network Zone• Login Agent
Authentication MethodCustom Endpoint Scans
11 © 2005 Citrix Systems, Inc.—All rights reserved.
SmartAccess: Overview
Analyze Endpoint & Connection Implement Access Control
• CPS applications • File & network shares (UNCs)• Web based email• Web sites (URLs)• Web applications• Email & application synchronization
Machine Identity:• NetBIOS name• Domain Membership• MAC address
Machine Configuration• Operating System• Anti-Virus System• Personal Firewall• Browser
Network Zone• Login Agent
Authentication MethodClient Certificate QueriesCustom Endpoint Scans
Policy Based Access Control:• Situational or contextual access control based on user
membership, authentication strength, device and connection to ensure IT resources are not exposed to unwarranted risk
12 © 2005 Citrix Systems, Inc.—All rights reserved.
Full download of documentsLiveEdit
• Edit locally• Save back to server• Retain in memory during edit• Avoid data leakage on client
Preview documents with HTML• Access from PDAs• View without application on client
Attach to email• Avoid data transmission to client
CPS Applications• Control available applications• Limit local mapped drives & printing
Analyze Endpoint & Connection Implement Access Control Implement Resource Usage Control
• CPS applications • File & network shares (UNCs)• Web based email• Web sites (URLs)• Web applications• Email & application synchronization
Machine Identity:• NetBIOS name• Domain Membership• MAC address
Machine Configuration• Operating System• Anti-Virus System• Personal Firewall• Browser
Network Zone• Login Agent
Authentication MethodCustom Endpoint Scans
SmartAccess: Overview
Intellectual Property Control:• Manage the use of sensitive information by:
– controlling how information is accessed and used(CPS, HTML Preview, LiveEdit etc.)
– controlling what can be done with that information(download, print, save, copy, etc.)
– ensuring no data is left on the local machine
• Enable companies to log all access
SSL-VPNs
13 © 2005 Citrix Systems, Inc.—All rights reserved.
Granular Access Controls
• File Preview• Web E-mail• Controlled
Presentation Server Access
• File Download• Local Edit and Save• File Upload
• E-mail Sync• Web E-mail• Full Presentation Server Access• Full Presentation Server App Set
• Edit in Memory• Limited Presentation Server access
(read-only local drive mapping)• Limited Presentation Server
application set• File Preview• File Upload• E-mail Sync• Web E-mail
Corporate Desktop
Remote Corporate Device
Public Kiosk
14 © 2005 Citrix Systems, Inc.—All rights reserved.
Browser-only Access
• Extend access to any device with a browser
• Absolutely no client required
• Deliver e-mail, file shares, web sites/applications to any device with a browser
• Automatically render Microsoft Office documents to HTML preview
15 © 2005 Citrix Systems, Inc.—All rights reserved.
Browser-only Access: Overview
• For use when an Access Gatewayclient is not deployed
• Obfuscates internal URLs
• Controls client-side caching
• Enforces access control
• Provides access to:Protected Web Sites Web ProxyFile Shares Nav UIWeb email Outlook Web Access,
iNotes, or Nav UI
16 © 2005 Citrix Systems, Inc.—All rights reserved.
Mobile Device Awareness
• Support for small form-factor devices:– Nav UI
– Web Email
– File Browser
– HTML Preview
– Email as attachment
• Supported platforms:– Palm
– RIM Blackberry
– PocketPC 2000/2003
– Microsoft Smartphones
17 © 2005 Citrix Systems, Inc.—All rights reserved.
• User types in the logon point URL into the PDA browser
• User enters login credentials, including two-factor as necessary
• After successful authentication, user is informed of session start
• User is presented with the file and email interface
Mobile Device Awareness:User Experience
18 © 2005 Citrix Systems, Inc.—All rights reserved.
Mobile Device Awareness:User Experience
• Create/view email
• Access shared or mapped drives
• Access, view and email Microsoft Office files without download
• Email documents from file shares
19 © 2005 Citrix Systems, Inc.—All rights reserved.
Access Gateway and Advanced Access Control 4.2
Access Gateway Advanced Access Control
+
Defining a new level of control and access!
20 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway for Advanced Access Control
2 Advanced Access Control Console
3 Examining the Endpoint Security SDK
4 Conclusion
21 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway with Advanced Access Control
2 Advanced Access Control Console• Overview
• Creating Resources
• Authentication and Logon Points
• Creating and Applying Policies
• Access Scenarios
3 Examining the Endpoint Security SDK
4 Conclusion
22 © 2005 Citrix Systems, Inc.—All rights reserved.
Designing an Access Strategy
1. Inventory all IT resources
2. Group resources into levels of sensitivity
3. Define end user access scenarios
4. Associate end user access scenarios with levels of sensitivity
5. Develop phased approach to implementation
Partner MachineMobile PDACorporate Laptop Home ComputerCorporate Laptop File Servers
23 © 2005 Citrix Systems, Inc.—All rights reserved.
Advanced Access Control
Advanced Access Control includes: – Policy-based access control
– Action rights control
– Clientless access
– Roaming policies
24 © 2005 Citrix Systems, Inc.—All rights reserved.
ConfiguringAdvanced Access Control
• Add Resources
– Web, Files, Email, Network Connections, Presentation Server
• Configure the Access Gateway within the Access Console
• Configure Authentication
– Support for Strong Authentication like SafeWord Tokens
• Configure Logon Point Properties
• Create Policies to control resource access
Important: By default, users are denied access to network resources until you create policies
that grant them access permission.
25 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway with Advanced Access Control
2 Advanced Access Control Console• Overview
• Creating Resources
• Authentication and Logon Points
• Creating and Applying Policies
• Access Scenarios
3 Examining the Endpoint Security SDK
4 Conclusion
26 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating Web Resources
• Web pages or web sites
• Group related URLs as a single Web resource
• Pass-through authentication methods:
Optional Settings:
– Bypass URL rewriting
– Interface common for all browser types
Web/App Servers
27 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating Web Resources
28 © 2005 Citrix Systems, Inc.—All rights reserved.
• Shared directories
• Group related shares as a single resource
• You can use variables
• Publish a file share
– Browse to File Share
– Navigate to unpublished shares
– Access controlled by policy
File Servers
Creating File Share Resource
29 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating File Share Resource
30 © 2005 Citrix Systems, Inc.—All rights reserved.
• Supported Web email applications
– Microsoft Outlook Web Access
– Lotus Notes/Domino
• Microsoft OWA Supports Small Form Factor Devices
Note: Enter the URL of the load balancer as the start page
Creating EMail Resource
E-mail Servers
31 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating EMail Resource
32 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating Network Resources
• TCP / UDP access via Secure Access Client
• Securely connect to services through the Access Gateway
• Simply specify a server and the port(s)
Corporate Laptop
OK
Internet
Fir
ewal
l
Fir
ewal
l
Secure Gateway
File Servers
Web or App Servers
Presentation Server Applications
E-mail Servers
IP Phones
33 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating Network Resources
34 © 2005 Citrix Systems, Inc.—All rights reserved.
Accessing Presentation Server
• Access published applications
• Apply policies to Citrix Presentation Server: – Published applications
– Workspace Control
– Policies like client-drive mapping and local printing
Presentation Server
35 © 2005 Citrix Systems, Inc.—All rights reserved.
Accessing Presentation ServerStep #1 – Presentation Sever Console
36 © 2005 Citrix Systems, Inc.—All rights reserved.
Accessing Presentation ServerStep #2 – AAC Console
37 © 2005 Citrix Systems, Inc.—All rights reserved.
Within Advanced Access Control:• Web Interface as a Web application
– Single Sign On Optional
• File type association
– Documents available via related Presentation Server Applications
• Access center
– Program Neighborhood or Embedded Application
Within Citrix Presentation Server 4.0:• Associate Published resources to AAC policies
• Allow connections through MetaFrame Secure Access Manager
• Trust requests sent to the XML Service
Alternatives Means toAccessing Presentation Server
38 © 2005 Citrix Systems, Inc.—All rights reserved.
Configuring the Access Gateway
• Administer the appliance using:– Access Gateway Administration Tool
– Access Suite Console
39 © 2005 Citrix Systems, Inc.—All rights reserved.
• Configure IP routing
• Configure static routes
• Leverage RIP and RIP2
Configuring the Access GatewayFrom the Access Suite Console
40 © 2005 Citrix Systems, Inc.—All rights reserved.
Resource Groups
• Group resources into a single entity
• Requires fewer total policies
• Eases policy administration
41 © 2005 Citrix Systems, Inc.—All rights reserved.
Resource Groups
42 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway with Advanced Access Control
2 Advanced Access Control Console• Overview
• Creating Resources
• Authentication and Logon Points
• Creating and Applying Policies
• Access Scenarios
3 Examining the Endpoint Security SDK
4 Conclusion
43 © 2005 Citrix Systems, Inc.—All rights reserved.
Advanced Authentication
• Advanced Authentication Types– Secure Computing SafeWord
– RSA SecurID
– LDAP
– RADIUS
44 © 2005 Citrix Systems, Inc.—All rights reserved.
The Logon Point
45 © 2005 Citrix Systems, Inc.—All rights reserved.
Logon Points
– Defines the logon page for users
– Specifies settings that are applied to user sessions
– Specifies authentication strength
– Specifies the home page
– Specifies the MetaFrame Presentation Server farms
The Logon Point
46 © 2005 Citrix Systems, Inc.—All rights reserved.
• Testing With Your Sample Logon Point– SampleLogonPoint at:
– Http://Server-Name/CitrixLogonPoint/SampleLogonPoint
Important: The sample logon point is designed for testing purposes only
The Logon Point
47 © 2005 Citrix Systems, Inc.—All rights reserved.
The Logon Point
48 © 2005 Citrix Systems, Inc.—All rights reserved.
• Multiple Logon Agents can point to an Advanced Access Control Farm
• Logon Points are only available when deployed by an administrator
Deploying the Logon Point
49 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway with Advanced Access Control
2 Advanced Access Control Console• Overview
• Creating Resources
• Authentication and Logon Points
• Creating and Applying Policies
• Access Scenarios
3 Examining the Endpoint Security SDK
4 Conclusion
50 © 2005 Citrix Systems, Inc.—All rights reserved.
Policies - Controlling Access
• Dynamic control to resources and connections
• You can create two types of policies: – Connection Policies control Secure Access Client connections
– Access Policies are granular permissions to resources
• When configuring policies, you define: – Users / Groups
– Conditions when the policy applies
The access scenario is the information about the user and the user’s client device. This information is used to determine policy enforcement.
51 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating Connection Policies
Connections that use the Secure Access Client
• Assign filters to connection policies– Filters are conditions that define when the policy applies
• One of the filters is a continuous scan filter– A scans that monitors during the entire user session
– Disconnection occurs when the client device ceases to meet the requirements
52 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating Connection Policies
53 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating Access Policies
54 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating Policy Filters
• Three types of conditions – Logon point - access based on the URL the user
connects to the network
– Authentication strength - whether users authenticate with passwords only or use advanced authentication
– Endpoint analysis scan outputs - based on information gathered by endpoint analysis scans
Remember your filters can be used within Citrix Presentation Server
55 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating Policy FiltersEndPoint Analysis
56 © 2005 Citrix Systems, Inc.—All rights reserved.
Creating Policy FiltersFilter Creation
57 © 2005 Citrix Systems, Inc.—All rights reserved.
Accessing the Entire Network
• All servers and services on your secure network
• Use Entire Network resource to– quickly set up your deployment and test access
– provide unlimited access to a special class of user, such as adminstrators who need wide access for disaster recovery or emergency operations
– provide open access by default and later develop policies that deny access to specified resources according to your security plan
CPS Applications Web or App Servers File ServersEmail Servers Desktops & Phones
58 © 2005 Citrix Systems, Inc.—All rights reserved.
Accessing the Entire Network
59 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway with Advanced Access Control
2 Advanced Access Control Console• Overview
• Creating Resources
• Authentication and Logon Points
• Creating and Applying Policies
• Access Scenarios
3 Examining the Endpoint Security SDK
4 Conclusion
60 © 2005 Citrix Systems, Inc.—All rights reserved.
Access Scenario #1
• User Access Profile– Corporate Sales Employee
– iForum Internet Kiosk
– Located within Mandalay Bay, Las Vegas
61 © 2005 Citrix Systems, Inc.—All rights reserved.
End User Experience Partial Access
Internet
Fir
ewal
l
Fir
ewal
l
Secure Gateway
Advanced AccessControl
Corporate Laptop
Partner Machine
Mobile PDA
Kiosk Computer
• Download and Access Information:• Full download• Download to memory only• Access via CPS only• Preview in HTML only
• Edit and Save Changes:• Save locally• Save only to network• Save disabled
• Print• Print locally• Print to selected printers• Printing disabled
• Presentation Server Applications
OK
Web or App Servers
Presentation Server Applications
File Servers
E-mail Servers
IP Phones
62 © 2005 Citrix Systems, Inc.—All rights reserved.
Access Scenario #2
• User Access Profile– Employee of a Partner Organization
– Partner Provisioned Desktop (UNTRUSTED)
– Located within Partner Organization Office
63 © 2005 Citrix Systems, Inc.—All rights reserved.
End User Experience Partial Access
Internet
Fir
ewal
l
Fir
ewal
l
Secure Gateway
Advanced AccessControl
Corporate Laptop
Partner Machine
Mobile PDA
Home Computer
• Download and Access Information:• Full download• Download to memory only• Access via CPS only• Preview in HTML only
• Edit and Save Changes:• Save locally• Save only to network• Save disabled
• Print• Print locally• Print to selected printers• Printing disabled
• Presentation Server Application
OKWeb or App Servers
Presentation Server Applications
File Servers
E-mail Servers
IP Phones
64 © 2005 Citrix Systems, Inc.—All rights reserved.
Access Scenario #3
• User Access Profile– Corporate Sales Employee
– Corporate Provisioned Laptop
– Located within Mandalay Bay, Las Vegas
65 © 2005 Citrix Systems, Inc.—All rights reserved.
End User Experience Partial Access
Internet
Fir
ewal
l
Fir
ewal
l
Secure Gateway
Advanced AccessControl
Corporate Laptop
Partner Machine
Mobile PDA
Home Computer
• Download and Access Information:• Full download• Download to memory only• Access via CPS only• Preview in HTML only
• Edit and Save Changes:• Save locally• Save only to network• Save disabled
• Print• Print locally• Print to selected printers• Printing disabled
• Presentation Server Applications
OK
Web or App Servers
Presentation Server Applications
File Servers
E-mail Servers
IP Phones
66 © 2005 Citrix Systems, Inc.—All rights reserved.
Access Scenario #4
• User Access Profile– Corporate Sales Employee
– Corporate Provisioned Laptop
– Located within Corporate Remote Office Location
67 © 2005 Citrix Systems, Inc.—All rights reserved.
End User Experience Full Access
Internet
Fir
ewal
l
Fir
ewal
l
Secure Gateway
Advanced AccessControl
Corporate Laptop
Partner Machine
Mobile PDA
Home Computer
• Download and Access Information:• Full download• Download to memory only• Access via CPS only• Preview in HTML only
• Edit and Save Changes:• Save locally• Save only to network• Save disabled
• Print• Print locally• Print to selected printers• Printing disabled
• Presentation Server Applications
Web or App Servers
Presentation Server Applications
File Servers
E-mail Servers
IP Phones
OK
68 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway with Advanced Access Control
2 Implementing Advanced Access Control
3 Examining the Endpoint Security SDK
4 Conclusion
69 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway with Advanced Access Control
2 Implementing Advanced Access Control
3 Examining the Endpoint Security SDK
• Endpoint Analysis Overview
• Endpoint Analysis SDK
• Developing Custom Scans
4 Conclusion
70 © 2005 Citrix Systems, Inc.—All rights reserved.
Resource Usage Control
Access Control Action Control
Edit
User Scenario
View Only Print
Save
Endpoint Sensing
What Action can the user take?
Essence of SmartAccess
Which User
Who can access what data?
User Status
• Presentation Server
applications
• File & Network shares
• Web-based email
• Web sites
• Web applications
• Email & application
synchronization
• Machine Identity
• Machine
Configuration
• Network Zone
• Authentication
Method
• Custom Scans
• Copy/Paste
• Save
• Preview
• Save to network
• Save locally
• Log access
Endpoint Analysis
Policy-based Access
• NetBIOS name• Domain membership• MAC address • Operating System• Anti-Virus System• Personal Firewall• Browser Type• Device location (internal or external)• Machine logon (Windows, Novell, etc)• Strong Authentication (RSA Security, Secure Computing, ActivCard)
71 © 2005 Citrix Systems, Inc.—All rights reserved.
Implementation Requirements
• Win32 Clients
• Microsoft Internet Explorer 5 or 6 with cookies enabled and permission to load signed ActiveX controls, if distributing the ActiveX control
• Netscape Navigator 7 or greater or Mozilla Firefox, if distributing the browser plug-in
72 © 2005 Citrix Systems, Inc.—All rights reserved.
Endpoint Analysis Terminology
• Endpoint Analysis gathers information about client devices accessing your networks and verifies that data against pre-set requirements
• Endpoint Scans allow you to enforce policies based on scan results– Define properties to verify on the client device
– Define conditions under which the scan is run
• Rules contain sets of conditions defining when to run the scans and which conditions to verify – Multiple rules can apply to one scan package
• Scan Outputs contain information detected from the client device or Boolean expressions indicating a true/false scan result.
Example:
• Internet Explore Scan:– property to verify on client = version– condition to run scan = logon point
• Rules:
– All Win32 clients except XP & 2003• Because XP & 2003 have version 6 needed
– When logon point = CtxExternal• Because CtxInternal is used by employees who
know better
• Outputs:
– Return true if version is 6 or greater!
73 © 2005 Citrix Systems, Inc.—All rights reserved.
Endpoint Device
Internet DMZ Protected Network (LAN)
High-Level Architecture
Access Gateway
Advanced Access Control Services
Administration Layer (CMI)
Data Layer
EPAClientObject
Packagecode
EPAProxy
Logon Agent Service
EPAActivation Page
Deployment Service
EPAWeb
service
Packagecode
EPAtables
EPA Business Objects
EPAAdmin UI
74 © 2005 Citrix Systems, Inc.—All rights reserved.
Endpoint Device
Internet DMZ Protected Network (LAN)
High-Level Architecture
Access Gateway
Advanced Access Control Services
Administration Layer (CMI)
Data Layer
EPAClientObject
Packagecode
EPAProxy
Logon Agent Service
EPAActivation Page
Deployment Service
EPAWeb
service
Packagecode
EPAtables
EPA Business Objects
EPAAdmin UI
Endpoint Device
Access Gateway
Advanced Access Control Services
Administration Layer (CMI)
Data Layer
EPAClientObject
Packagecode
EPAProxy
Logon Agent Service
EPAActivation Page
Deployment Service
EPAWeb
service
Packagecode
EPAtables
EPA Business Objects
EPAAdmin UI
Native Win32 DLL - ActiveX control or plug-in that hosts the enquiries
Generates the client-side code to deploy (if necessary) and start the EPA Client object on the endpoint device when a new session request is detected
Forwards requests from the EPA client to the EPA Service
• Executes server-side package code to generate client enquiries• Performs post-processing on results for use by policy engine
• Code modules for both client and server side execution• Cached locally by Service and Proxy components• Script or C/C++ native DLLs according to the whims of package authors• Extracted from DB and deployed to Service and Proxy using the Deployment Service
• Code modules for both client and server side execution• Cached locally by Service and on endpoint device• Script or C/C++ native DLLs according to the whims of package authors• Extracted from DB and deployed to Service using the Deployment Service
Extension of the farm database to hold the contents of packages and associated rules
.Net assembly objects that form abstraction layer over the database tables
• Package rule configuration• Extensions to Logon Agent configuration related to EPA (mutual trust, service location)• Delivered as a .NET assembly
76 © 2005 Citrix Systems, Inc.—All rights reserved.
Client Browser
post invoked with results
Access Gateway
begin login sequence
Evaluation Process
Access Control&
Policy Engine
connect
agent activation +initial enquiries
requests for package code, or intermediate data
package code, or more enquiries
post scan output
login or access denied page GO/NO-GO
transformed final results
Logon AgentService
1 2
3
4
5execute scanAGENT
6
7
9
EPA WebService
8
EPA Proxy
77 © 2005 Citrix Systems, Inc.—All rights reserved.
Endpoint Analysis Client
• ActiveX or Plugin client that requires user confirmation to execute
• Includes Control Applet to manage trusts and cache – code is cached to ApplicationData\Citrix\EPA
• Provides flexible range of security, identity, and device integrity checks on client machines
78 © 2005 Citrix Systems, Inc.—All rights reserved.
Endpoint Analysis – FYI
• Endpoint analysis completes before the user session consumes a license – requires user’s permission to initiate scan
• Code and data sent to client does not reveal success criteria for evaluation
• The client agent and the endpoint analysis server are stateless
• Client caches downloaded code by site• Command line utilities available for
updating parameters and data sets
• Disallowed error page can be customized
79 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway with Advanced Access Control
2 Implementing Advanced Access Control
3 Examining the Endpoint Security SDK
• Endpoint Analysis Overview
• Endpoint Analysis SDK
• Developing Custom Scans
4 Conclusion
80 © 2005 Citrix Systems, Inc.—All rights reserved.
Visual Studio .Net Add-in
• Extends existing Visual Studio concepts– New Endpoint Analysis Solution and File
Types
– Wizard driven package development
– Extend Solution and Project Properties
– Extend build environment to auto-generate .cab file
• Package Developer “Fills in the Blanks” to provide new Analysis functionality
• Contains all projects associated with a package
• Allows use of Visual Studio tools for localizing packages via Resource Files
81 © 2005 Citrix Systems, Inc.—All rights reserved.
Visual Studio .Net Add-in
Client-side detection code
Server-side enquiry code
82 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway with Advanced Access Control
2 Implementing Advanced Access Control
3 Examining the Endpoint Security SDK
• Endpoint Analysis Overview
• Endpoint Analysis SDK
• Developing Custom Scans
4 Conclusion
83 © 2005 Citrix Systems, Inc.—All rights reserved.
Environment Setup
• Install Microsoft Visual Studio .Net 2003
• Download and Install the Endpoint Analysis SDK:– http://apps.citrix.com/cdn
• Add EPA Include path to INCLUDE environment variable or within Visual Studio– Located by default: C:\Program Files\Citrix\
EndpointAnalysisSdk\Include
• Install dependant APIs or Executables if needed
• Create Advanced Access Control testing environment
84 © 2005 Citrix Systems, Inc.—All rights reserved.
• Determine cab file location
• Cab file is imported as a scan package within Access Suite Console
• Identify your package
• Use company domain for URI value
• Determine development language
• C++ or VBScript
• Define first boolean output
• Additional outputs can be defined later
• Outputs can be boolean, strings, integers or version but only boolean outputs used in policies
Step 1 – Create Project Stub
• Launch Visual Studio and create new project
85 © 2005 Citrix Systems, Inc.—All rights reserved.
Step 2 – Edit Package Properties
• Select File -> Edit Endpoint Analysis Package Properties
• Edit Version and other general properties if desired
• Add more outputs if needed
• Outputs can be used for logging or as input parameters to other scans
• Modify Parameter List
• Parameters can have range of valid values to compare against output
• Value lists can be updated using command line utilities
• Define additional prerequisites
• Prerequisites determine conditions for code execution
• Define entry point for Dispatcher Code
• RequestScan entry point defined by default
• Specify required prerequisites and parameters for the entry point
86 © 2005 Citrix Systems, Inc.—All rights reserved.
Step 3 – Code and Debug
ClientDownload.cpp hosts client detection logic
Define exportable function on the client. Server component is instructed what function to call.
87 © 2005 Citrix Systems, Inc.—All rights reserved.
Step 3 – Code and Debug
Dispatcher.cpp contains server-side detection code
Entry points added automatically when set in the EPA properties screen – signature includes two parameters:• IEPAEnvironment: registers client
queries and provides access to datasets IEPAParameterCollection: Contains parameters defined in scan properties
88 © 2005 Citrix Systems, Inc.—All rights reserved.
Step 4 – Package and Deploy
• Building the solution creates a cab file for the scan package in the designated directory
• Cab file contains:– An XML manifest that describes the operation of the
EPA package
– Zero or more bitmaps to server as icons within the Access Suite Console
– One or more code or script files (code modules in script format or Win32 Dlls)
– One or more resource files (one per language into which the vendor has localized the package)
• Deploy the cab file in test environment– Import the cab file through the Access Suite
Console
– Deploy the cab file from within Visual Studio
89 © 2005 Citrix Systems, Inc.—All rights reserved.
Questions?
90 © 2005 Citrix Systems, Inc.—All rights reserved.
Agenda
1 Access Gateway for Advanced Access Control
2 Advanced Access Control Console
3 Examining the Endpoint Security SDK
4 Conclusion
91 © 2005 Citrix Systems, Inc.—All rights reserved.
Before you leave…
• Recommended related breakout sessions:– 3113: Protecting Intellectual Property with the
Citrix Access Suite 4.0• Tuesday, October 11@ 9:00am -- 9:50am
– 2128: Citrix Access Gateway, the Best Way to Secure Citrix Presentation Server
• Tuesday, October 11@ 3:30 -- 4:20pm
• Session surveys are available online at www.citrixiforum.com Tuesday, October 11 (please provide feedback)
• Breakout session handouts are located at the Breakers Registration Desk South
92 © 2005 Citrix Systems, Inc.—All rights reserved.
• Learn how Citrix leads the industry in access products that deliver the best access experience.
– Where: Mandalay Bay Ballroom I
– When: Monday 12pm – 3pm; Tuesday 10am -4pm
• Meet the Architects – Monday & Tuesday: 1pm – 3pm
Citrix Technology Lab