Access Gateway Operation Client Network Stack All traffic tunneled in

Access Gateway Operation Client Network Stack All traffic tunneled in SSL to the gateway Access Gateway opens TCP or UDP connections to servers on the user’s behalf. Access Gateway Servers

Secure Gateway Capabilities DMZ 1 Internal DMZ 2 STA & XML Server Web Interface 80/443 Internet 80/443 , 80/443 CPS Server 1080/443 Single or double-hop DMZ support No VPN client required; works with native, Java, and ActiveX ICA clients Supports SmoothRoaming and workspace control 1494 598 443 2598

Full Client Operation Applications Intercepted traffic appears to originate from the gateway to the client on port 10010 :10000 :10010 :10020 :10040 CitrixSAClient.exe VPN Client initiates new SSL connection to the gateway on port 443 App connects to an IP that the gateway client intercepts User space Kernel space NDIS SHIM

VPN Client in Non-admin mode Applications Intercepted traffic appears to originate from the gateway to the client on port 10010 :10000 :10010 CitrixSAClient.exe :10020 :10040 App connects to an IP that the gateway client intercepts WINSOCK SHIM VPN Client initiates new SSL connection to the gateway on port 443 User space Kernel space

What types of traffic can the non-admin VPN client intercept? OK in Non-admin mode Requires admin mode Internet Explorer, Firefox, etc. VoIP ICA Client, RDP Client CIFS/SM B Outlook, Lotus Notes Streaming Video Java applets Any UDP traffic Most TCP-based applications

Direct access to file shares via AG CIFS: 445 (TCP) VPN:443 Client Browsing: 3268 (GC) or 137139(NBT) Access Gateway Kerberos KDC: 88 (TCP) File Server

Browser access to files via Advanced Edition (or Enterprise Edition) HTTP(S): 80 or 443 HTTPS:443 Client Access Gateway CIFS, etc. Advanced Access Control server File Server

Exchange and MAPI RPC Port Discovery: 135 Exchange Directory NSPI Proxy Interface: (dynamic) Exchange Information Store Interface: (dynamic) Client Exchange Site Replication Service: (dynamic) Exchange

Option #1: Proxying MAPI with Access Gateway RPC Port Discovery: 135 Exchange Directory NSPI Proxy Interface: (dynamic) VPN: 443 Client Access Gateway Exchange Information Store Interface: (dynamic) Exchange Site Replication Service: (dynamic) Exchange KB: Configuring Static Exchange Ports http://support.microsoft.com/kb/270836/

Option #2: Proxying MAPI over HTTP HTTP: 80 VPN: 443 Client Access Gateway 135 Dynamic Port Exchange Front-end or IIS 6.0 RPC Proxy Exchange Con: Requires Outlook client reconfiguration

Presentation Server Access Internet DMZ Trusted Network ICA protocol (Port 1494 or 2598), XML (Port 80 OR 443) Citrix Presentation Server Farm Client SSL/TLS (Port 443) Access Gateway HTTP (Port 80) OR HTTPS (Port 443) No Windows in the DMZ, just a hardened appliance Web Interface servers may be brought onto the Trusted Network and shared with LAN users Access Gateway credentials can be relayed to Web Interface for single sign-on to Presentation Server Web Interface Use SSL Relay to encrypt XML/STA traffic

How it works: Access Presentation Servers with no VPN Client HTTPS Web Interface SSL Client Access Gateway XM ICAL XML 1. User points to https://access.company.com 2. Access Gateway terminates SSL and authenticates user 3. Reverse proxy to Web Interface and perform single sign on Presentation Server Farm 4. User clicks an application icon 5. Web interface requests ticket from XML Service 6. Web Interface sends ticket to user in ICA file 7. ICA Client spawns, sends ICA in SSL to Access Gateway 8. Access Gateway validates ticket 9. ICA Session established and Application is displayed on user desktop

Web Interface Site Details Set On A Per–Group Basis – Each group can use the portal page like before or be redirected to another web server URL – Send different users to different Citrix farms according to group membership

Multiple Logon Option Page Establishes a VPN connection for full desktop connectivity Redirects to Web Interface for ICA-only access

Minimal Deployment: Standard Edition Web Interface Presentation Servers Access Gateway Standard Edition Web Interface may be moved to the LAN if Access Gateway is configured to authenticate users

Advanced Edition Web Interface Integration Access Gateway Advanced Access Control (AAC) User traffic flows through AAC on its way to Web Interface Web Interface Presentation Server Farm

Advanced Edition Web Interface Integration Access Gateway Advanced Access Control (AAC) If there are multiple AAC servers, one user’s traffic will emanate from all AAC servers in the farm Web Interface Presentation Server Farm

Advanced Edition Web Interface Integration ? Access Gateway Advanced Access Control (AAC) Web Interface If there are also multiple WI servers, load balancing becomes a challenge. One user’s traffic must be persisted to one WI server, but the traffic will emanate from multiple AAC servers. Presentation Server Farm

Option 1: Redundant WI servers with NLB NLB Access Gateway Advanced Access Control (AAC) Windows Network Load Balancing (NLB) can be used, but only for redundancy. Configure NLB for “Single Host” Web Interface Presentation Server Farm

Option 2: Use NetScaler for Cookie-based Load Balancing VIP* Access Gateway Advanced Access Control (AAC) Web Interface NetScaler can be used to virtualize the WI servers with cookie-based load balancing. Use the ASPNET Session ID Cookie for persistence. * NetScaler VirtualPresentation IP, not a Server Farm IP Presentation Server Virtual

Load Balancer Insertion Points – Citrix Access Gateway – – – – Client to CAG CAG to Advanced Access Control AAC to WI WI to AAC – Citrix Presentation Server – Web Interface servers and CSG – XML Service – Load balancing mirrored sites (GSLB)