| Author |
| |
Messages |
Sort: |
|
Joslyn
SmartAccessCentral Moderator
User Online: 
|
|
Posted:12/06/2005 9:45 AM |
|
|
First to clear up the confusion, what is the Access Gateway Advanced Control Option?
It s the technology formerly known as MSAM (MetaFrame Secure Access Manager) and AGE (Access Gateway Enterprise).
This is the software add-on to the Access Gateway appliance (although currently it is a standalone product until another version release in 2005) that allows all of the end point analysis to be carried out as well as the tailoring of advanced access policies. It is the Advanced Control Option that allows the controlling of access to different resources (File Shares, Web Applications, Citrix Presentation Server Applications etc) as well as controlling how those applications can be used (what virtual channels are available in PS Apps, can users download or only preview files etc).
Later in 2005 we should see another release of this technology that will also allow us to use the Advanced Control Option to control the configuration of the Access Gateway Appliance. For example, based upon advanced end point analysis of the Advanced Control Option we will be able to control the Networks and ports accessible via the hardware device.
Tim Joslyn
Tim@smartaccesscentral.com
www.SmartAccessCentral.com |
|
csg63
New Member
User Online:
|
|
Posted:12/06/2005 5:17 PM |
|
Hi tim just another question so iam not confusing myself, today the
access gateway combines with MSAM 2.2 to give you the adavnced gateway
option or is there
another standalone product that was released together with PS 4.0.
Iam afraid it all is a bit confusing.
Regards Craig
|
|
Joslyn
SmartAccessCentral Moderator
User Online:
|
|
Posted:12/06/2005 5:55 PM |
|
|
Hi Craig
I wouldn't worry about the confusion, to be honest very few people seem to understand what fits where at the moment (and that can include employees of a certain vendor )
Today the Access Gateway appliance (current 4.0 release) contains two technology components (if we forget the not so useful kiosk mode) namely the full SSL VPN as developed by Net 6 and also the Secure Gateway Code base so that the appliance can front the delivery of Presentation Server Applications. Apart from the inclusion of SG the appliance does not integrate with any of the Citrix products. Administration and Licensing are all separate. Of course you could use the Access Gateway appliance to access other Citrix technologies such as PS delivered applications and internally deployed MSAM implementations. You would just use the gateway appliance to get yourself connected to the internal network.
MSAM 2.x was effectively a low end portal product with some basic SSL VPN functionality to allow email synchronisation which was known as the Advanced Gateway Client (Product marketing really do deserve an award for making all these names so confusing).
The next incarnation of MSAM (originally named MSAM 4.0) was a completely different product. It still included the functionality of MSAM 2.x in terms of Access Centres which can be used as an alternative UI but this product was focussed on delivering on the 'Access' story that Citrix have been telling for the last couple of years. The main focus of the technology is in allowing 3 dimensional Access control ie based on who a user is, where a user is and what the state of the device is that the user is connecting from, a completely tailored Access Scenario is delivered. So we have:
- Advanced End Point Analysis (for example is the client running AV, what OS are they accessing from, is a firewall enabled etc etc)
- The ability to create complex access filters based on different End Point analysis.
- A 'new' UI know as the NAV UI
- Ability to control access to a variety of resources including PS Applications, Web Applications, File Shares, Web Email, IP Tunnels.
As part of the Access Suite 4.0 release the name MetaFrame was dropped so the product was renamed to Access Gateway Advanced Control Option however today there is no direct integration with the Access Gateway Appliance. Currently for secure external access the Advanced Control Option uses the Citrix Secure Gateway technologies and IP tunnels are created by the Advanced Gateway Client (as used in MSAM 2.2).
Towards the end of 2005 we should hopefully see another release of both the Access Gateway Appliance and the Advanced Control Option software. This will replace the software Secure Gateway component used today and the Advanced Control Option software will then be able to provide policy based control to the Access Gateway itself.
So as you can see there are plenty of reasons to be confused, this will have either answered your questions or sent your head into a spin!
Tim
Tim Joslyn
Tim@smartaccesscentral.com
www.SmartAccessCentral.com |
|
SteveMcG
SmartAccessCentral Moderator
User Online:
|
|
Posted:12/06/2005 9:59 PM |
|
|
Welcome Craig,
Citrix have now taken a firm position that they now play in the "Access Infrastructure" market space. In order to reflect this, the marketing department have brought out a solid message, which unfortunately has confused 99.9% of the Citrix world.
As Tim has said earlier, the cool technology is the addition of the Smart Access components, which we at SAC have been working with over the last six months or so, in our day jobs.
If we can help you understand the technology, and cut through the names to the great technology underneath, then please ask!
|
|
csg63
Intermediate Member
User Online:
|
|
Posted:16/06/2005 8:29 PM |
|
Well here goes next question the advanced content option for the gateway appliance has it been released yet ?
I see mentioned in all the literature but it does not seem to be
available for download. Any ideas of how the roadmap for the access
gateway appliance ?
Regards Craig
|
|
Joslyn
SmartAccessCentral Moderator
User Online:
|
|
Posted:17/06/2005 8:37 AM |
|
|
Hi Craig,
The AAC is due to be released next week along with the rest of the Access Suite 4.0 (bar Presentation Server which was released last month).
As for roadmap, I would expect a second release of AAC towards the end of this year to improve integration between the Gateway appliance and the AAC.
With regards to the Gateway appliance itself version 4.1 will be released at some point (we are currently looking at the betas so it cannot be that far away) and this offers a much approved users and admin interface (Java based console that is installed on a server as opposed to having to use a VNC connection to the appliance itself). However as far as I am aware the RSA pass-through issue that you experience is still not resolved.
What other niggles do you have with the device? I know that some key individuals within the Gateways division may monitor this forum so this is good unofficial way of getting feedback direct to people who can effect change within Citrix.
Tim
Tim Joslyn
Tim@smartaccesscentral.com
www.SmartAccessCentral.com |
|
csg63
Intermediate Member
User Online:
|
|
Posted:17/06/2005 8:49 PM |
|
|
Well iam not sure you could it niggles but, the main problem we have is that it would seem that the installation of the full access client requires admin rights, not cool at all, plus the performance is not what we were expecting, iam not sure why because its early days yet for our testing. In the beging we did think that it was going to be smarter that using the full client would´nt pump everything down the vpn tunnel but be more selective dependant on polices, and not dependant on using split dns. Its nice to know that there is more options on the way. I will naturally leave feedback at the forum under our trials.
Regards Craig
|
|
dabs
SmartAccessCentral Moderator
User Online:
|
|
Posted:18/06/2005 9:07 AM |
|
|
Hi Craig
You are probably aware, but if you don't have admin rights the Access Gateway client is supposed to down-grade the version of the client to allow to it to install.
This version, the non-admin install then supports all Winsock-aware aaplicatiosn and DNS only. It won't support non-Windowsock applications such as SMB (e.g. file shares) and UDP applications (e.g. VoIP).
brian
Brian DaBinett
brian@smartaccesscentral.com |
|
leeanth
New Member
User Online:
|
|
Posted:21/06/2005 1:48 PM |
|
|
Can the Advanced Access Control option only be used with the AG appliance or can the features of the Advanced Access Control option, i.e end point analysis, access filters etc be used with an SG implementation?
Thanks, Lee.
|
|
dabs
SmartAccessCentral Moderator
User Online:
|
|
Posted:21/06/2005 3:48 PM |
|
|
Hi Lee
When you mention SG do you mean Secure Gateway with MSAM 2.x, Web Interface of Access Gateway Enterprise?
Currently AAC will only work as part of Access Gateway Enterprise (which is the software gateway running on a Windows server). Around October the gateway component gets moved to the hardware appliance.
Access Gateway Enterprise is the replacement for MSAM 2.x.
Does that help?
Thanks
Brian.
Brian DaBinett
brian@smartaccesscentral.com |
|
leeanth
New Member
User Online:
|
|
Posted:22/06/2005 10:33 AM |
|
|
Hi Brian,
Thanks for responding so quickly. I want to take an SG/WI and MetaFrame environment, upgrade it to PS 4.0 and the latest SG/WI versions. In addition add in access control features (end point scanning, access filters) and be able to configure what can be accessed based on device type, connection speed etc. I'm not sure what the options are and the products required. My understanding is the CAG is not a replacement for SG so can the access control be achieved by just using Secure Gateway plus somthing else? Apologies if I'm missing something obvious.
Thanks
Lee.
|
|
Davey
SmartAccessCentral Moderator
User Online:
|
|
Posted:22/06/2005 1:57 PM |
|
|
Hi Lee,
The CAG can be used as a replcement for the current software SG, the code base has been ported onto the lastest version of the CAG ( 4.x ). The CAG can forward traffic to a WI server and give access to Presentation Server applications.
To use the SmartAccess options (end point scanning and access filters), you need to upgrade the CAG to the Enterprise Edition which comes with the Advanced Access Control option.
Today the Enterprise edition is only available in a software form (software Access Manager server, and a software Secure Gateway), but come October the software SG will no longer be available and the code will be ported onto the appliance. Access Gateway Enterprise will allow you to connect to a WI server and Presentation Server applications and give you ability to apply access polices based on end point scans.
Hope this helps ?
Thanks,
David Coombes
dave@smartaccesscentral.com
|
|
dabs
SmartAccessCentral Moderator
User Online:
|
|
Posted:22/06/2005 1:59 PM |
|
|
Hi Lee
Your not missing anythign obvious. As one of the Citrix guys said to me at iForum 'Was there anything we missed to make this more confusing?' so they know its a tricky one.
Basically if you want to use the AAC functionality then you need to buy Citrix Access Gateway Enterprise (CAGE) software and licenses. If you buy before the end of June then buy MSAM 2.2 licenses with a Citrix Access Gateway (CAG) appliance Then use the power-up promotion to upgrade to CAGE.
If you buy after June, then buy just CAGE 4.0 licenses. This will requrie 2 windows servers, one on the LAN to run the Access Manager and one in the DMZ to run the Gateway as the Gateways for SG and CAGE aren't compatible. (For this you could also think about using VMware to minimse hardware requirements).
When the next release of CAGE comes out, then the Secure Gateway component will be ported to the appliance (CAG) so to get the next verion og CAGE you will need to buy the appliance, hence using th epower-up option before the end of June is a good way to get there. You simply buy the gateway for now, either use it as a VPN or stick in the cupboard until October (ish).
Does this help? If you want bit more of a chat then drop me a mail.
Thanks
brian
Brian DaBinett
brian@smartaccesscentral.com |
|
JonasB
New Member
User Online:
|
|
Posted:23/06/2005 11:35 PM |
|
|
Hi for me it's still a bit confusing.
Is it not possible to configure endpoint scanning/policies with CAG? It's available and configurable in the admin GUI since 4.9 got 4.1 installed. I haven't played around with it yet got my box yesterday.
|
|
Joslyn
SmartAccessCentral Moderator
User Online:
|
|
Posted:24/06/2005 10:04 AM |
|
|
The CAG Appliance does have basic end point functionality included (limited to checking for a file, registry key or a process). The Advanced Access Control Option gives you a blank page in terms of what you can check for and how you check for it (with the use of the SDK). It also includes a number of out the box end point scans for different A/V vendors. personal Firewall vendors, IP Scans, MAC Scnas, IE Versions, OS Versions patch levels etc. You can then build up comprehensive access policies with the AAC based upon these advanced scans, something that cannot be done with just the appliance.
Plus the CAG appliance can only use its end point scans to limit access to IP ranges and Ports. The AAC can use its end point scans to limit access at the resource level (File Shares, Web Apps, PS Apps, PS Virtual Channels, how clients can interact with files etc).
Thanks,
Tim
Tim Joslyn
Tim@smartaccesscentral.com
www.SmartAccessCentral.com |
|
current
Intermediate Member
User Online:
|
|
Posted:03/11/2005 8:19 PM |
|
|
HI.
At this exact point in time, I am just about to order the AGE. What is the latest version
that is shipping of this product. Is the ACC still a software component that needs to be installed on
a server.
This is my thinking of my setup. I am Correct or am I missing something.
What will a user just accessing from a SSL Web connection from say a public console
without any client S/W installed be able to do, Will they be able to access PS4 Applications
uning RSA Keyfob.
Internet-Checkpoint Firewall
-------------------------------
DMZ-Citrix AGE
-------------------------------
Internal PS4 Farm (Two Servers)
RSA Secure ID(One Server)
WEB IF4.x/ACC 4.x(One Server)
|
|
dabs
SmartAccessCentral Moderator
User Online:
|
|
Posted:04/11/2005 12:06 AM |
|
|
Hi there
The current version available for AGE is 4.0. Version 4.2 is due out this month provided there are no delays. So if you buy today you get version 4.0 and would upgrade to 4.2 using the subscription advantage, with this in mind you would purchase:
- Citrix Access Gateway appliance
- Citrix Access Gateway Enterprise licenses
You would leave the appliance on the shelf and turn it on when you move to 4.2. With 4.2 you would install the AAC onto a Windows server on the LAN the same as with 4.0.
A user coming into the system from a client that is unable to download anything would be able to run web based resources, e.g. :
- Outlook web access
- Intranet
- File shares (through AAC interface)
Whilst this is what is possible with no client, you need to configure AAC to allow access when it can't even install the end point client.
In terms of RSA to gain access to ICA applications, this would be possible to scan for, but only if you can download the end point client.
Finally, depending upon load you may split the WI and AAC server.
Hope this helps
Thanks
bd
Brian DaBinett
brian@smartaccesscentral.com |
|
current
Intermediate Member
User Online:
|
|
Posted:04/11/2005 8:55 AM |
|
|
Thanks
With the web ActiveX Client for AG/ACC installed (Say on a Public Kiosk if allowed) will that
give the user access to PS4 Applications. The Windows client part is causing me consearn
because from a Public Access Terminal installing that is out of the question. Other SSL VPN
solutions don't need any client (Aventail).
Thanks
Alan
|
|
Joslyn
SmartAccessCentral Moderator
User Online:
|
|
Posted:04/11/2005 1:27 PM |
|
|
You can allow users to log onto PS applications with RSA authentication without the need for any client components, the active X clients are not required for PS as this can be configured to fall back to the Java client.
Does this answer your question?
Tim
Tim Joslyn
Tim@smartaccesscentral.com
www.SmartAccessCentral.com |
|
current
Intermediate Member
User Online:
|
|
Posted:04/11/2005 8:24 PM |
|
|
Thanks that is exactley what I am looking for so now I can proceed with my purchase.
Alan
|
|
cesisson
New Member
User Online:
|
|
Posted:06/03/2006 7:40 PM |
|
|
Is the AAC (Advanced Access Control) always going to be a separate component (separate from the Access Gateway)? Or is the component ever going to be a part of the Access Gateway appliance itself.
We have the Access Gateway installed. It looks like we need to install the AAC component on a standalone server.
Can anyone tell me what the minimum specs of the server should be?
We have been told that the server should be running Windows 2003 Web Edition.
Thank you.
|
|
Joslyn
SmartAccessCentral Moderator
User Online:
|
|
Posted:08/03/2006 11:48 AM |
|
Hi,
The server does not need to be web edition of 2003, any edition will do as long as it can run IIS.
For the forseeable future AAC will be a seperate component however in the future who knows what will happen, it may be possible that Citrix will include some AAC functionality in the Enterpise edition of the Access Gateway and this would surely reside on the appliance?
Tim
Tim Joslyn
Tim@smartaccesscentral.com
www.SmartAccessCentral.com |
|