sept, 2012 citrix cloudgateway™ technical overview
TRANSCRIPT
Sept, 2012
Citrix CloudGateway™Technical Overview
© 2012 Citrix | Confidential – Do Not Distribute
across all types of apps, data, devices and users
Single point of Access & Self-service
Single point of Aggregation & Control
Context Content
+Any device
pcmac
smartphonetablet
thin client
Any App & Datadata
mobileSaaSweb
windows
© 2012 Citrix | Confidential – Do Not Distribute
Citrix CloudGateway™
•Unified storefront for mobile, Web, SaaS and Windows apps
•Follow me apps & data on any device with federated SSO•Control access polices for apps, data and devices•Wipe apps & data remotely•Unified SLA and license compliance for SaaS apps•Clientless secure remote access
© 2012 Citrix | Confidential – Do Not Distribute
CloudGateway Express
Windows apps & desktops
Receiver -- Storefront Services
FREE!
For XenApp &
XenDesktop
© 2012 Citrix | Confidential – Do Not Distribute
Receiver – Access Gateway – Storefront Services – AppController
CloudGateway Enterprise
Windows apps & desktops, Web & SaaS apps
© 2012 Citrix | Confidential – Do Not Distribute
Mobile AppsStorefront Services
Access Gateway
Receiver AppController
Web & SaaS Apps
ShareFile Data
Virtual Desktops & Apps
CloudGateway
Citrix Receiver
10
Access Your Apps and Data From Any Device
© 2012 Citrix | Confidential – Do Not Distribute
• Follow-me apps and data
• Auto provisioned apps
• Self Service
• Application Request
• VPN-less Remote Access
• Single Sign on in base Receiver
• One-click configuration
• Coherent UI & UX
Citrix Receiver
CloudGateway Application Administration
Web, SaaS, and Mobile
© 2012 Citrix | Confidential – Do Not Distribute
Application StoresApplication Stores
The CloudGateway Way
WebInterface
(the old way)
PNAg
ent
HTTP(S)
XenDesktop
XenApp
AppControllerStoreFrontServer
DS
Prot
ocol
AppController is just another application store like
XenDesktop and XenApp
StoreFront Services Server extends the store concept to
include app subscription
© 2012 Citrix | Confidential – Do Not Distribute
AppController
Administration
Web/SaaS
Define Roles
Roles map to AD groups
Extracts “memberof” attribute
Configure Applications
Connectors for federated access or user accounts
Long list of built-in connectors
Wizards for custom federated access
MAP
Federated Single Sign-on
Active Directory
© 2012 Citrix | Confidential – Do Not Distribute
Wor
kflow
and
Pro
visi
onin
g En
gine
SyncMaster
Employee List
1. Standard enterprise provisioning systems create user accounts on AD • AppC supports programmatic integration with
PeopleSoft, SAP, Oracle HRMS and other systems, in addition to LDAP sync
2. Sync to identify user-group association3. Create user accounts with associated
privileges on external applications• If user is disabled on AD, all external accounts can be
disabled too
AppController
Role-based User Account Management
Active Directory
© 2012 Citrix | Confidential – Do Not Distribute
Role-based User Account Management
© 2012 Citrix | Confidential – Do Not Distribute
AppController
Reporting Systems
Create
Users
What privilege on application?
Any app specific security rules?
Additional approvals required before creating account?
Sync
Log
Auth
Automatic Account Provisioning
Active Directory
© 2012 Citrix | Confidential – Do Not Distribute
Automatic Account Provisioning
© 2012 Citrix | Confidential – Do Not Distribute
Approver
1
3
1. User self-service application request• All app requests and subscriptions consolidated on
the Citrix Receiver
2. Request triggers AppC workflows3. Approvers get mail notifications –
and approve request4. Application account gets provisioned
for userApprover
Approver
Wor
kflow
and
Pro
visi
onin
g En
gine
AppController
2
4
Workflow Management
© 2012 Citrix | Confidential – Do Not Distribute
Workflow Management
© 2012 Citrix | Confidential – Do Not Distribute
Scenario-based controls
Mobile Application Management
App Wrapping and containerization
© 2012 Citrix | Confidential – Do Not Distribute
Citrix Mobile App Management
• Full support for both personal and corporate usage (BYOD)ᵒ Corporate apps and data secure even on employee-owned devices ᵒ New consumer-driven devices supported immediately
• No risk of corporate data loss or compliance exceptions when: ᵒ Device is lost or stolen or employee leaves organization ᵒ Collaboration / file sharing apps used on the device
• Governance is built-in ᵒ Policies can be updated on hundreds of apps with no requirement to change source
code
• No requirement for developers to change the way they develop apps or learn mobile security standards
© 2012 Citrix | Confidential – Do Not Distribute
Storefront Services
Access GatewayReceiver AppController
Mobile App Management
© 2012 Citrix | Confidential – Do Not Distribute
• App secured by policy• Local storage
encrypted• Network access
secured
ipa or .apk file with standard libraries
User auth requiredAllow local storageOffline access allowedRestrict doc sharingRestrict APIsControl network
Native Mobile Apps Management
Receiver
app
data
containers
vpn
3rd party apps
in-house apps
gateway services
StoreFront
Policy Engine
MAMserver
CloudGateway
© 2012 Citrix | Confidential – Do Not Distribute
App Preparation Process
Upload app to CloudGateway
Download via Citrix Receiver
QuickOffice.ipa
Secure app with App Preparation
Tool
App available as a secure,
managed app
App is visible on iOS “home screen”
QuickOffice EnterpriseQuickOffice Enterprise
QuickOffice
ShareFile & Follow-Me-Data
© 2012 Citrix | Confidential – Do Not Distribute
The IT Balancing Act
Standardization Consumerization
Features for IT• Encryption• Granular permissions• Remote wipe• AD integration• Audit trail / reporting• Configurability
Features for end users• Mobile tools• Single sign on• File sync• Easy to use• Outlook plug-in
© 2012 Citrix | Confidential – Do Not Distribute29
Citrix CloudGateway & ShareFile
• Advanced Authentication & Provisioning
• XenApp Integration
• Data protection – Encrypt, Lock & Wipe
• Policy-based Control
• Offline Access and 2 way Synchronization
• Single Sign On
• AD / Role based provisioning
© 2012 Citrix | Confidential – Do Not Distribute
“Follow-Me Data”Local | Cloud
Datacenter
© 2012 Citrix | Confidential – Do Not Distribute
On-premise
Personal
Cloud
Receiver with Follow-me DataUnified UX
Centralized Control
Any Data
s h a r e | c o l l a b o r a t e | s y n c | b a c k u p | e n c r y p t | r e m o t e w i p e | p o l i c y
© 2012 Citrix | Confidential – Do Not Distribute
Follow-me apps + data: XenApp Integration
Open in XA
• Rich Content editing experience
• High performance (no client-drive mapping)
Access Gateway
© 2012 Citrix | Confidential – Do Not Distribute
What is Access Gateway?
Citrix Access Gateway™ is the only secure application and desktop access solution that provides administrators with application-level control while
empowering users with access from anywhere.
Secure Single Sign-on to StoreFront
Services
Ticket-based Connection
Authorization
VPN-less Remote Access from Any
Device
Endpoint Analysis &SmartAccess
© 2012 Citrix | Confidential – Do Not Distribute
Access Gateway and StoreFront Services verify the existence of each other to ensure credentials
are passed from a trusted source
Connections are authorized using a secure single-use ticket. This prevents man-in-the-
middle as well as replay attacks
Allows users to securely access desktops and applications using any device in any Application, including home computers and mobile devices
Anywhere Access
Introducing Access Gateway
Secure Ticketing
Trusted Single Sign-on
Endpoint analysis and session policy controls allow for server-side filtering of resource lists are
passed from a trusted source
Allows users to access network resources using a traditional SSL VPN with strict authorization
policies and split tunneling controls
Enables secure remote access to critical web applications from users’ browsers without
requiring additional client components
VPN-less Access
Network Access
SmartAccess
© 2012 Citrix | Confidential – Do Not Distribute
What Is SmartAccess?
• Single logon experience to Web Interface
• Secure Application and Desktop Virtualization
• Delivery applications and desktops based on trust
• Dynamically filter Virtual Channels based on endpoint conditions
• Automatically deploy client components with Citrix Receiver
© 2012 Citrix | Confidential – Do Not Distribute
XenDesktop
XenApp
AppController
Secure Ticketing
StoreFront Services
Access Gateway
Receiver
User clicks an app
SFS sends XenApp info to STA and
receives ticket
Policy Inspection
SFS sends ICA file with STA ticket and AG info to
client
Browser invokes ICA plug-in and sends ticket info
to AG
AG validates ticket info and sets up
ICA tunnel
© 2012 Citrix | Confidential – Do Not Distribute
StoreFront Services
Access Gateway
Receiver
How Does SmartAccess Work?
1. EPA Scans Collect Evidence
EPAResult
XenDesktop
XenApp
AppController
© 2012 Citrix | Confidential – Do Not Distribute
XenDesktop
XenApp
AppController
How Does SmartAccess Work?
2. Evidence Evaluated by AG Policies
Policy
StoreFront Services
Access Gateway
Receiver
© 2012 Citrix | Confidential – Do Not Distribute
XenDesktop
XenApp
AppController
How Does SmartAccess Work?
3. AG Policies Used in XenApp or XenDesktop Policies
AppList
Policy
StoreFront Services
Access Gateway
Receiver
© 2012 Citrix | Confidential – Do Not Distribute
XenDesktop
XenApp
AppController
How Does SmartAccess Work?
AppList
4. List of Apps & Desktops Dynamically Generated
StoreFront Services
Access Gateway
Receiver
© 2012 Citrix | Confidential – Do Not Distribute
XenDesktop
XenApp
AppController
How Does SmartAccess Work?
5. Secure ICA Session Established with Filtered Virtual Channels
SSL 001000111010101 SSL 001000111010101 SSL 001000111010101 SSL 00100
StoreFront Services
Access Gateway
Receiver
© 2012 Citrix | Confidential – Do Not Distribute
XenDesktop
XenApp
AppController
SmartAccess Device Validation
StoreFront Services
Access Gateway
Receiver
Firewall active?Device Identiy Check?
Anti-virus updated?Malware Present?
ConnectInitiate ScanSend ResultsPass / FailRequest Resource Grant Access (PASS)
© 2012 Citrix | Confidential – Do Not Distribute
XenDesktop
XenApp
AppController
SmartAccess – Corporate Laptop
StoreFront Services
Access Gateway
Receiver
Request Resource Policy Result
Policy Inspection
MS Word Financial App SAP Win7 Desktop
MS Word Financial App SAP Win7 Desktop
© 2012 Citrix | Confidential – Do Not Distribute
XenDesktop
XenApp
AppController
SmartAccess – Public Kiosk
StoreFront Services
Access Gateway
Receiver
Request Resource Policy Result
Policy Inspection
MS Word SAP
MS Word SAP
© 2012 Citrix | Confidential – Do Not Distribute
SSL 001000111010101 SSL 00
XenDesktop
AppController
VPN-less Remote Access
StoreFront Services
Access Gateway
Receiver
Request Resource
Request Resource
SSL 001000111010101 SSL 001000111010101 SSL 001000111010101
Policy Inspection
Secure Connection to requested resource only
XenApp
StoreFront Services
© 2012 Citrix | Confidential – Do Not Distribute
StoreFront Services
• Search to quickly find, subscribe to, or launch apps, documents or services
• Role based “Follow-me” Subscriptions for applications and data
• Request applications
• Single authentication
• Integrated with Citrix Online “GoTo” Products
• Apps can be:• Hosted
• Streamed (App-V or Citrix)
• Web (SaaS)
© 2012 Citrix | Confidential – Do Not Distribute
• Centralized administration
• Leverages SQL Server
• Easy to scale out
Enterprise-ready Storefront Infrastructure
Central SubscriptionDatabase
SQL
Credential WalletReplicated
StoreFront
StoreFrontStoreFront
StoreFront
© 2012 Citrix | Confidential – Do Not Distribute
AG Storefront Services
AuthService
Auth System – with Access Gateway
Detects call is via AGIncludes
information in call
context
UserDirectory
1 - EPA & Auth
2 - Authentication
3 - Give me a token for Store4 - Here is a Token for Store
5 - Present auth token
6 - Returning Store information & list of Apps
© 2012 Citrix | Confidential – Do Not Distribute
Provisioning Files
eastgw.citrix.com
westgw.citrix.com
emeagw.citrix.com
© 2012 Citrix | Confidential – Do Not Distribute
Roaming
westgw.citrix.com
emeagw.citrix.comeastgw.citrix.com
© 2012 Citrix | Confidential – Do Not Distribute
Recommended Deployment
Storefront Services Site 1
Site 2
Access Gateway
HA Pair or scale-out cluster
Scale-out cluster with web LB
© 2012 Citrix | Confidential – Do Not Distribute
Hands on lab overview
• Configure AppController
• Configure StoreFront
• Configure AG Policies
• Enduser setup and experience
• Enduser experience
© 2012 Citrix | Confidential – Do Not Distribute
Access Gateway
Firewall
AppController
Public CloudServices
StoreFront
Private CloudServices
Firewall
Virtual desktops and apps
Web AppsMobile Apps
SaaS Apps
SubscribeRequest Access
Launch
IdentifySecure
Optimize
AggregateControlMonitor
Architectural Topology
Citrix CloudGateway
© 2012 Citrix | Confidential – Do Not Distribute
Access Gateway
Firewall
AppController
Public CloudServices
StoreFront
Private CloudServices
Firewall
Virtual desktops and apps
Web AppsMobile Apps
SaaS Apps
SubscribeRequest Access
Launch
IdentifySecure
Optimize
AggregateControlMonitor
AppController
Citrix CloudGateway
© 2012 Citrix | Confidential – Do Not Distribute
Access Gateway
Firewall
AppController
Public CloudServices
StoreFront
Private CloudServices
Firewall
Virtual desktops and apps
Web AppsMobile Apps
SaaS Apps
SubscribeRequest Access
Launch
IdentifySecure
Optimize
AggregateControlMonitor
StoreFront
Citrix CloudGateway
© 2012 Citrix | Confidential – Do Not Distribute
Access Gateway
Firewall
AppController
Public CloudServices
StoreFront
Private CloudServices
Firewall
Virtual desktops and apps
Web AppsMobile Apps
SaaS Apps
SubscribeRequest Access
Launch
IdentifySecure
Optimize
AggregateControlMonitor
AccessGateway
Citrix CloudGateway
© 2012 Citrix | Confidential – Do Not Distribute
Access Gateway
Firewall
AppController
Public CloudServices
StoreFront
Private CloudServices
Firewall
Virtual desktops and apps
Web AppsMobile Apps
SaaS Apps
SubscribeRequest Access
Launch
IdentifySecure
Optimize
AggregateControlMonitor
User experience
Citrix CloudGateway
© 2012 Citrix | Confidential – Do Not Distribute
Launch your browser and type
http://ilt.citrixvirtualclassroom.com/
Your session code is:
“ANZ20-CGENT-SEP20”
Lab Environment Login
© 2012 Citrix | Confidential – Do Not Distribute
From VCDC to onsite PoC• Provision VCDC environment (Allow 24h for completion)
• Receive automated email with instructions fro VCDCᵒ Usernames and Passwordsᵒ Links to all documentation needed for VCDC
• Demo solution to customer using step by step Demo Guides
• Leave instruction for VCDC with customer for them to test and play with CloudGateway for 7 days
• Schedule onsite PoC
• CloudGateway Enterprise Pre-requisite check listᵒ http://www.citrix.com/skb/articles/RDY6229
• CloudGateway Enterprise short Tech Deckᵒ http://www.citrix.com/skb/articles/RDY7030
© 2012 Citrix | Confidential – Do Not Distribute
Documentation
• CloudGateway Enterprise Pre-requisite check listᵒ http://www.citrix.com/skb/articles/RDY6229
• CloudGateway Enterprise short Tech Deckᵒ http://www.citrix.com/skb/articles/RDY7030
• How to configure FMD with SAML Configuration Guideᵒ http://www.citrix.com/skb/articles/RDY7314
• Step by step guide how to wrap mobile applications for distribution from the AppControllerᵒ http://www.citrix.com/skb/articles/RDY7317
• VCDC Demo guide ᵒ http://www.citrix.com/skb/articles/RDY7333
• VCDC Admin Guideᵒ http://www.citrix.com/skb/articles/RDY7334
© 2012 Citrix | Confidential – Do Not Distribute