sept, 2012 citrix cloudgateway™ technical overview

Sept, 2012

Citrix CloudGateway™Technical Overview

© 2012 Citrix | Confidential – Do Not Distribute

across all types of apps, data, devices and users

Single point of Access & Self-service

Single point of Aggregation & Control

Context Content

+Any device

pcmac

smartphonetablet

thin client

Any App & Datadata

mobileSaaSweb

windows


Citrix CloudGateway™

•Unified storefront for mobile, Web, SaaS and Windows apps

•Follow me apps & data on any device with federated SSO•Control access polices for apps, data and devices•Wipe apps & data remotely•Unified SLA and license compliance for SaaS apps•Clientless secure remote access


CloudGateway Express

Windows apps & desktops

Receiver -- Storefront Services

FREE!

For XenApp &

XenDesktop


Receiver – Access Gateway – Storefront Services – AppController

CloudGateway Enterprise

Windows apps & desktops, Web & SaaS apps


Mobile AppsStorefront Services

Access Gateway

Receiver AppController

Web & SaaS Apps

ShareFile Data

Virtual Desktops & Apps

CloudGateway

Citrix Receiver

10

Access Your Apps and Data From Any Device


• Follow-me apps and data

• Auto provisioned apps

• Self Service

• Application Request

• VPN-less Remote Access

• Single Sign on in base Receiver

• One-click configuration

• Coherent UI & UX

Citrix Receiver

CloudGateway Application Administration

Web, SaaS, and Mobile


Application StoresApplication Stores

The CloudGateway Way

WebInterface

(the old way)

PNAg

ent

HTTP(S)

XenDesktop

XenApp

AppControllerStoreFrontServer

DS

Prot

ocol

AppController is just another application store like

XenDesktop and XenApp

StoreFront Services Server extends the store concept to

include app subscription


AppController

Administration

Web/SaaS

Define Roles

Roles map to AD groups

Extracts “memberof” attribute

Configure Applications

Connectors for federated access or user accounts

Long list of built-in connectors

Wizards for custom federated access

MAP

Federated Single Sign-on

Active Directory


Wor

kflow

and

Pro

visi

onin

g En

gine

SyncMaster

Employee List

1. Standard enterprise provisioning systems create user accounts on AD • AppC supports programmatic integration with

PeopleSoft, SAP, Oracle HRMS and other systems, in addition to LDAP sync

2. Sync to identify user-group association3. Create user accounts with associated

privileges on external applications• If user is disabled on AD, all external accounts can be

disabled too

AppController

Role-based User Account Management

Active Directory


Role-based User Account Management


AppController

Reporting Systems

Create

Users

What privilege on application?

Any app specific security rules?

Additional approvals required before creating account?

Sync

Log

Auth

Automatic Account Provisioning

Active Directory


Automatic Account Provisioning


Approver

1

3

1. User self-service application request• All app requests and subscriptions consolidated on

the Citrix Receiver

2. Request triggers AppC workflows3. Approvers get mail notifications –

and approve request4. Application account gets provisioned

for userApprover

Approver

Wor

kflow

and

Pro

visi

onin

g En

gine

AppController

2

4

Workflow Management


Workflow Management


Scenario-based controls

Mobile Application Management

App Wrapping and containerization


Citrix Mobile App Management

• Full support for both personal and corporate usage (BYOD)ᵒ Corporate apps and data secure even on employee-owned devices ᵒ New consumer-driven devices supported immediately

• No risk of corporate data loss or compliance exceptions when: ᵒ Device is lost or stolen or employee leaves organization ᵒ Collaboration / file sharing apps used on the device

• Governance is built-in ᵒ Policies can be updated on hundreds of apps with no requirement to change source

code

• No requirement for developers to change the way they develop apps or learn mobile security standards


Storefront Services

Access GatewayReceiver AppController

Mobile App Management


• App secured by policy• Local storage

encrypted• Network access

secured

ipa or .apk file with standard libraries

User auth requiredAllow local storageOffline access allowedRestrict doc sharingRestrict APIsControl network

Native Mobile Apps Management

Receiver

app

data

containers

vpn

3rd party apps

in-house apps

gateway services

StoreFront

Policy Engine

MAMserver

CloudGateway


App Preparation Process

Upload app to CloudGateway

Download via Citrix Receiver

QuickOffice.ipa

Secure app with App Preparation

Tool

App available as a secure,

managed app

App is visible on iOS “home screen”

QuickOffice EnterpriseQuickOffice Enterprise

QuickOffice

ShareFile & Follow-Me-Data


The IT Balancing Act

Standardization Consumerization

Features for IT• Encryption• Granular permissions• Remote wipe• AD integration• Audit trail / reporting• Configurability

Features for end users• Mobile tools• Single sign on• File sync• Easy to use• Outlook plug-in

© 2012 Citrix | Confidential – Do Not Distribute29

Citrix CloudGateway & ShareFile

• Advanced Authentication & Provisioning

• XenApp Integration

• Data protection – Encrypt, Lock & Wipe

• Policy-based Control

• Offline Access and 2 way Synchronization

• Single Sign On

• AD / Role based provisioning


“Follow-Me Data”Local | Cloud

Datacenter


Follow-me apps + data: XenApp Integration

Open in XA

• Rich Content editing experience

• High performance (no client-drive mapping)

Access Gateway


What is Access Gateway?

Citrix Access Gateway™ is the only secure application and desktop access solution that provides administrators with application-level control while

empowering users with access from anywhere.

Secure Single Sign-on to StoreFront

Services

Ticket-based Connection

Authorization

VPN-less Remote Access from Any

Device

Endpoint Analysis &SmartAccess


Access Gateway and StoreFront Services verify the existence of each other to ensure credentials

are passed from a trusted source

Connections are authorized using a secure single-use ticket. This prevents man-in-the-

middle as well as replay attacks

Allows users to securely access desktops and applications using any device in any Application, including home computers and mobile devices

Anywhere Access

Introducing Access Gateway

Secure Ticketing

Trusted Single Sign-on

Endpoint analysis and session policy controls allow for server-side filtering of resource lists are

passed from a trusted source

Allows users to access network resources using a traditional SSL VPN with strict authorization

policies and split tunneling controls

Enables secure remote access to critical web applications from users’ browsers without

requiring additional client components

VPN-less Access

Network Access

SmartAccess


What Is SmartAccess?

• Single logon experience to Web Interface

• Secure Application and Desktop Virtualization

• Delivery applications and desktops based on trust

• Dynamically filter Virtual Channels based on endpoint conditions

• Automatically deploy client components with Citrix Receiver


XenDesktop

XenApp

AppController

Secure Ticketing

StoreFront Services

Access Gateway

Receiver

User clicks an app

SFS sends XenApp info to STA and

receives ticket

Policy Inspection

SFS sends ICA file with STA ticket and AG info to

client

Browser invokes ICA plug-in and sends ticket info

to AG

AG validates ticket info and sets up

ICA tunnel


StoreFront Services

Access Gateway

Receiver

How Does SmartAccess Work?

1. EPA Scans Collect Evidence

EPAResult

XenDesktop

XenApp

AppController


XenDesktop

XenApp

AppController


2. Evidence Evaluated by AG Policies

Policy

StoreFront Services

Access Gateway

Receiver


XenDesktop

XenApp

AppController


3. AG Policies Used in XenApp or XenDesktop Policies

AppList

Policy

StoreFront Services

Access Gateway

Receiver


XenDesktop

XenApp

AppController


AppList

4. List of Apps & Desktops Dynamically Generated

StoreFront Services

Access Gateway

Receiver


XenDesktop

XenApp

AppController


5. Secure ICA Session Established with Filtered Virtual Channels

SSL 001000111010101 SSL 001000111010101 SSL 001000111010101 SSL 00100

StoreFront Services

Access Gateway

Receiver


XenDesktop

XenApp

AppController

SmartAccess Device Validation

StoreFront Services

Access Gateway

Receiver

Firewall active?Device Identiy Check?

Anti-virus updated?Malware Present?

ConnectInitiate ScanSend ResultsPass / FailRequest Resource Grant Access (PASS)


XenDesktop

XenApp

AppController

SmartAccess – Corporate Laptop

StoreFront Services

Access Gateway

Receiver

Request Resource Policy Result

Policy Inspection

MS Word Financial App SAP Win7 Desktop

MS Word Financial App SAP Win7 Desktop


XenDesktop

XenApp

AppController

SmartAccess – Public Kiosk

StoreFront Services

Access Gateway

Receiver

Request Resource Policy Result

Policy Inspection

MS Word SAP

MS Word SAP


SSL 001000111010101 SSL 00

XenDesktop

AppController

VPN-less Remote Access

StoreFront Services

Access Gateway

Receiver

Request Resource

Request Resource

SSL 001000111010101 SSL 001000111010101 SSL 001000111010101

Policy Inspection

Secure Connection to requested resource only

XenApp

StoreFront Services


StoreFront Services

• Search to quickly find, subscribe to, or launch apps, documents or services

• Role based “Follow-me” Subscriptions for applications and data

• Request applications

• Single authentication

• Integrated with Citrix Online “GoTo” Products

• Apps can be:• Hosted

• Streamed (App-V or Citrix)

• Web (SaaS)


• Centralized administration

• Leverages SQL Server

• Easy to scale out

Enterprise-ready Storefront Infrastructure

Central SubscriptionDatabase

SQL

Credential WalletReplicated

StoreFront

StoreFrontStoreFront

StoreFront


AG Storefront Services

AuthService

Auth System – with Access Gateway

Detects call is via AGIncludes

information in call

context

UserDirectory

1 - EPA & Auth

2 - Authentication

3 - Give me a token for Store4 - Here is a Token for Store

5 - Present auth token

6 - Returning Store information & list of Apps


Provisioning Files

eastgw.citrix.com

westgw.citrix.com

emeagw.citrix.com


Roaming

westgw.citrix.com

emeagw.citrix.comeastgw.citrix.com


Recommended Deployment

Storefront Services Site 1

Site 2

Access Gateway

HA Pair or scale-out cluster

Scale-out cluster with web LB


Hands on lab overview

• Configure AppController

• Configure StoreFront

• Configure AG Policies

• Enduser setup and experience

• Enduser experience


Access Gateway

Firewall

AppController

Public CloudServices

StoreFront

Private CloudServices

Firewall

Virtual desktops and apps

Web AppsMobile Apps

SaaS Apps

SubscribeRequest Access

Launch

IdentifySecure

Optimize

AggregateControlMonitor

Architectural Topology

Citrix CloudGateway


Access Gateway

Firewall

AppController


StoreFront


Firewall


Web AppsMobile Apps

SaaS Apps


Launch

IdentifySecure

Optimize


AppController

Citrix CloudGateway


Access Gateway

Firewall

AppController


StoreFront


Firewall


Web AppsMobile Apps

SaaS Apps


Launch

IdentifySecure

Optimize


StoreFront

Citrix CloudGateway


Access Gateway

Firewall

AppController


StoreFront


Firewall


Web AppsMobile Apps

SaaS Apps


Launch

IdentifySecure

Optimize


AccessGateway

Citrix CloudGateway


Access Gateway

Firewall

AppController


StoreFront


Firewall


Web AppsMobile Apps

SaaS Apps


Launch

IdentifySecure

Optimize


User experience

Citrix CloudGateway


Launch your browser and type

http://ilt.citrixvirtualclassroom.com/

Your session code is:

“ANZ20-CGENT-SEP20”

Lab Environment Login




From VCDC to onsite PoC• Provision VCDC environment (Allow 24h for completion)

• Receive automated email with instructions fro VCDCᵒ Usernames and Passwordsᵒ Links to all documentation needed for VCDC

• Demo solution to customer using step by step Demo Guides

• Leave instruction for VCDC with customer for them to test and play with CloudGateway for 7 days

• Schedule onsite PoC

• CloudGateway Enterprise Pre-requisite check listᵒ http://www.citrix.com/skb/articles/RDY6229

• CloudGateway Enterprise short Tech Deckᵒ http://www.citrix.com/skb/articles/RDY7030

http://www.citrix.com/skb/articles/RDY6229




Documentation

• CloudGateway Enterprise Pre-requisite check listᵒ http://www.citrix.com/skb/articles/RDY6229

• CloudGateway Enterprise short Tech Deckᵒ http://www.citrix.com/skb/articles/RDY7030

• How to configure FMD with SAML Configuration Guideᵒ http://www.citrix.com/skb/articles/RDY7314

• Step by step guide how to wrap mobile applications for distribution from the AppControllerᵒ http://www.citrix.com/skb/articles/RDY7317

• VCDC Demo guide ᵒ http://www.citrix.com/skb/articles/RDY7333

• VCDC Admin Guideᵒ http://www.citrix.com/skb/articles/RDY7334




















sept, 2012 citrix cloudgateway™ technical overview

Documents