| Author |
| |
Messages |
Sort: |
|
jannie2
Intermediate Member
User Online: 
|
|
Posted:15/08/2005 1:32 PM |
|
|
Hi,
We want to give internet access to our applications on the Citrix serverfarm but we want to control the access: a user should not have access to the same set of applications he has when he is in the office and we want to use safeword for citrix for strong authentication. Is it the Citrix Access gateway appliance with the advanced control option the right solution? Some people tell me that we should wait until the next release of the advanced control option will be available in october and that safeword for citrix does not work in the current release. What is the best way to go?
|
|
dabs
SmartAccessCentral Moderator
User Online:
|
|
Posted:15/08/2005 10:19 PM |
|
|
Hi Jannie
If you want to provide the sort of control you mention then you are right you want Access Gateway Enterprise. Access Gateway Enterprise is effectively Access Gateway with the Advanced Access Control Option.
Safeword is supported in the current release of AAC (4.0).
There is a new release due in October which will be 4.2, alongside a general suite release at the same time.
AGE as you know has two elements, the Secure Gateway and the Access Manager (as I still call it). The Secure Gateway sits in the DMZ on a Windows server in version 4.0, in version 4.2 this will move to the Gateway Appliance. The Access Manager runs on a Windows server on the LAN and this won't change with a move to 4.2.
So in summary you can deploy AGE today on version 4.0, have Safeword support and then upgrade to 4.2 when you it is released. When you do the upgrade you will need to buy an appliance as well (unless Citrix change their policy).
Hope this helps
brian
Brian DaBinett
brian@smartaccesscentral.com |
|
jannie2
Intermediate Member
User Online:
|
|
Posted:16/08/2005 4:33 PM |
|
|
Hi Brian,
Thanks, but your answer confuse me with "Secure gateway sits in the DMZ on a Windows server in version 4.0". In CTX106978 - How to Integrate Access Gateway 4.0 with WebInterface I read: "Starting with Access gateway 4.0, functionality available in Secure gateway for Presentation Server is resident on the appliance." So why do I need a Windows server in the DMZ?
Back to the question : can I implement internet access to my serverfarm with Access Gateway Enterprise (appliance + access control option) where the access differs from the office? If you advise not to start with the appliance why is that?
Thanks,
Jan
|
|
dabs
SmartAccessCentral Moderator
User Online:
|
|
Posted:16/08/2005 11:22 PM |
|
|
Hi Jan
Sorry to confuse you, I should leave that to the Marketing people 
To offer a different set of applications when a user is away from the office you need to use Access Gateway Enterprise.
Access Gateway Enterprise (AGE) 4.0 (a different product to Access Gateway) does not use the appliance for the secure gateway yet, so you need to run the Secure Gateway for AGE on a Windows server in the DMZ until version 4.2 in October.
Access Gateway Enterprise 4.2 (October release) will use the appliance.
Hopefully that clarifies the need for a Windows Server in the DMZ with Gateway Enterprise.
Let me know if you have any more questions, or drop me a mail.
Brian DaBinett
brian@smartaccesscentral.com |
|
jannie2
Intermediate Member
User Online:
|
|
Posted:18/08/2005 2:08 PM |
|
|
Brian,
Thanks for your clear answer, I think I understand. Another point is what you say that SafeWord for Citrix is supported. In the AccessGateway_AdminGuide they talk about support for SafeWord PremierAccess and NOT SafeWord for Citrix. As you know these are different products. In the AccessGateway Enterprise_Guide the talk about support for SafeWord for Citrix.
Is SafeWord for Citrix supported using the AccessGateway in both configurations, with and without Advanced Control Option?
Jan
|
|
dabs
SmartAccessCentral Moderator
User Online:
|
|
Posted:19/08/2005 6:31 AM |
|
|
Hi Jan
I am just checkign this one out, as soon as I have the answer I will let you know, unless someones else knows it in the meantime?
Thanks
bd
Brian DaBinett
brian@smartaccesscentral.com |
|
dabs
SmartAccessCentral Moderator
User Online:
|
|
Posted:19/08/2005 4:52 PM |
|
|
Hi Jan
I have been told by Secure Computing that Safeword Premier will run both Gateway and Enterprise, and that (apparently) Safeword for MetaFrame is for AGE only.
The reason for this is that Gateway can functio as a full VPN and that Safeword consider the Gateway Enterprise as being MetaFrame only.
Hope this helps
Brian DaBinett
brian@smartaccesscentral.com |
|
jannie2
Intermediate Member
User Online:
|
|
Posted:19/08/2005 7:33 PM |
|
|
Hi Brian,
This is very strang. I think AGE is supported because we have to use Secure Gateway, as you explained to me) what was supported with Safeword for Citrix already for some time (nothing changed but the name Secure Access Manager). But what will happen with v4.2 when the Access Gateway has the functionality of Secure Gateway for Secure Access Manager?
If the Access Gateway is not supported, everybody who has invested in Safeword for Citrix in a Secure Gateway implementation, cannot upgrade to Access Gateway? Is that not very strange?
I think when we use the Access Gateway 4.1 in Secure Gateway mode and the Citrix WebInterface that should be supported with Safeword for Citrix, am i wrong?
Thanks for your help, regards,
Jan
|
|
dabs
SmartAccessCentral Moderator
User Online:
|
|
Posted:19/08/2005 8:03 PM |
|
|
Interesting scenario, I am in the office on Monday so I will chase it down then, its the only problem when your out on the road and you can't follow things through. I will investigate further and let you know.
From what I ahve been told Premier is needed for the full VPN as it isn't going to just ICA, where as AGE and 4.1 are going to ICA. It will also be interesting to see what happens when 4.2 is released as the AAC gateway will disable the VPN and CSG on the appliance, seems like Secure Computing need a position on this one.
Thanks
Brian DaBinett
brian@smartaccesscentral.com |
|
jannie2
Intermediate Member
User Online:
|
|
Posted:20/08/2005 8:46 AM |
|
|
Brian,
Additional info: at the bottom of the Citrix KB document CTX106978 I read support limitations regarding Safeword:
Some script modifications are required to allow Web Interface to accept the credentials forwarded by Access Gateway. For details, see CTX106202 - Forwarding Credentials from Access Gateway 4.0 to Web Interface.
Single sign-on to Web Interface carries the following requirements:
• Web Interface 3.0 or 4.0
• Portal Page Authentication must be enabled on Access Gateway
• Web Interface must be deployed “behind” Access Gateway, as illustrated in deployment scenarios 2 or 3 above
• The Access Gateway Default authentication realm must be configured to use LDAP authentication. When using RSA, SafeWord, or RADIUS authentication at the Access Gateway, the changes outlined in article CTX106202 are not supported.
Regards,
Jan
|
|
jannie2
Intermediate Member
User Online:
|
|
Posted:22/08/2005 8:17 PM |
|
|
Brian,
I have received information from SecureComputing that Safeword for Citrix does support Citrix Access Gateway but that the only way it can be implemented is to use the RADIUS configuration option in the CAG along with the IAS Agent (The IAS Agent (SecureComputing agent) + IAS (Microsoft Radius Server) must be installed).
I hope this information is usefull for other readers?
I think this means that an upgrade from Secure Gateway to Access Gateway is not very transparant for current Safeword for Citrix customers!
I don't know what this means for me, do I still have a Windows server in the DMZ or can I run the RadiusServer on the Webserver in the trusted network?
I don't know if "When using RSA, SafeWord, or RADIUS authentication at the Access Gateway, the changes outlined in article CTX106202 are not supported." from CTX106978 is still a problem for single signon?
Regards,
Jan
|
|