Mac users out there have long been asking for and waiting for a rich and secure remote access experience with Access Gateway solutions. Now the wait is over. Mac users can now download the Access Gateway plug-in for Mac from MyCitrix.

Access Gateway team has made available Mac OX X plug-in for Access Gateway 4.6 Standard Edition and Access Gateway 9.1 Enterprise Edition:

- The user experience of the plug-in conforms to the native Mac experience, providing rich user experience.

- Mac users can securely connect to their remote applications, leveraging pre- and post-authentication endpoint scans to confirm to their corporate security policies. For stronger security, when the remote Mac user logs off,  the plug-in also destroys any session data (cache, cookies, etc) on the client.

- With globalization features, the plug-in brings this new experience to English, French, German, Spanish and Japanese users.

If you are a Mac user, I encourage you to go to the downloads section on MyCitrix and select Citrix Access Gateway from the drop-down menu of 'Search Downloads by Product", then find "Access Gateway Plug-in for Mac OS X, Version 1.0.2.23" under the Clients section.

If you are using this new plug-in, please share your experience with me and what you would like to see next.

Sai

PinSafe is a form of multi-factor authentication which is easier to deploy and more cost effective than its token based competitors.  It also integrates seamlessly with the NetScaler for both SSL VPN and AAA for Web Applications.

It works by providing the user a customized "one time" image on the login page.  The image employs character rotation and will use a range of fonts and backgrounds to provide resistance to OCR attacks.  Contained within the image, is a security string which can be made up of numbers, characters or even a mixture of the two.   Place holders in the image help the user to extract their one-time image code.  So in the example below, a PIN of 4359 would yield a one-time code of 3125.

The default image has place holders to help the user extract the one-time code, but other, pattern based images can also be used.  The examples below show the numeric (eg telephone) keypad pattern as well as a more random pattern.  These images can even be branded for individual customers requirements.

For more information goto http://www.swivelsecure.com/

If you need to perform a search of a particular piece of data in the SUBJECT or ISSUER fields of a client's SSL certificate, the CONTAINS and NOCONTAINS Operators will serve you well.  However, if you want to be more granular in your approach, you will likely get frustrated by using the offset values of the Classic AppExpert Expression.

Problems occur when administrators rely on IE's reporting of the certificate values to determine the offset position within these fields rather than using openssl.  The reason you need to use openssl is because IE (and other browsers and operating systems) tend to incorrectly display the values of these parameters, messing up both the format and the order of the values.  So if you're going to set offsets, do NOT get your position information from IE!  Use openssl instead.

For example, take a look at my test certificate:

See how IE makes it look as if you should be reading this list (the top half) from left to right? Or (the bottom half) top to bottom?   Unfortunately, these are completely backwards.  Worse, there aren't any spaces or commas between the substrings.

So if you rely on what IE is telling you when you try to search in a specific location for "Rick.Davis@" you might use an offset of zero.  Or three.  But neither of those is correct.  OpenSSL will show you that the offset is actually 73!  

It's completely contrary to what you might expect because this is how the subject field is read by the NetScaler:
subject= /C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab

Proceedure

In order to accurately calculate the offset, you will need to use the openssl command.  Here's how:

1. Upload the client certificate to the NetScaler.
2. Use OpenSSL to view the SUBJECT or ISSUER fields from the NetScalers CLI: 

> shell
cd /flash/nsconfig/ssl
openssl x509 -noout -in client.cer -subject
subject= /C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab

The fields use ordinal numbering, so the first "/" character is number zero.  Here's the location map: 

/C=US/ST=Missouri/O=davis3.lab/OU=Access/CN=Rick.davis3.lab/emailAddress=Rick.Davis@davis3.lab
0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123
0         1         2         3         4         5         6         7         8         9

References

CTX116431 How to Create and Use Client Certificates on the NetScaler 

CLIENT.CERT
CLIENT.CERT.SUBJECT
CLIENT.CERT.ISSUER
CLIENT.CERT.SIGALGO
CLIENT.CERT.VERSION
CLIENT.CERT.VALIDFROM
CLIENT.CERT.VALIDTO
CLIENT.CERT.SERIALNUMBER
CLIENT.CIPHER.TYPE
CLIENT.CIPHER.BITS
CLIENT.SSL.VERSION 

Everyone should know by now that the NetScaler standard is the best practice for XenApp delivery.  So why do folks still see "Access Gateway" on the NetScaler's cool carbon fiber login page?

Do your prospects a favor and provide a consistent message that NetScaler is the solution they are testing! 

One small way you can address this is by changing the "Access Gateway" graphic in the VPN login page to read "NetScaler".   I bet you didn't even know Citrix already put the logo on the device, did you?

Proceedure

1. Log in to the command line interface using any of the available methods:
   1. Web GUI: System > Diagnostics > Command Line Interface
   2. Console port 
   3. SSH client
2. Issue the following commands:

> shell
# cd /netscaler/ns_gui/vpn/images
# mv ctxHeader01.gif ctxHeader01ForAGEE.gif
# cp ctxHeader01ForTM.gif ctxHeader01.gif

Notes

 Used NetScaler 9.0

And it's FREE! Throw away those behemoths that suck power from every grid in the state and drain your budget. This baby is Free, Open Source and VIRTUAL, meaning you can run as many instances of this router as you want on your choice of hardware. What is even more gratifying is it's faster than the old router technology.

Vyatta has commoditized router, firewall and VPN deployment in the same way that Linux commoditized the operating system market. Vyatta open-source networking offers you an alternative to over-priced, inflexible products from proprietary vendors.

Vyatta software enables customers to build routing and security solutions using standard x86-based hardware of their choosing, ensuring networks will always meet performance requirements. Vyatta open-source software delivers the unique advantage of allowing customers to scale networks from the simplest LAN configurations to large BGP WAN edge configurations using a single software package.

Vyatta software includes support for most commonly used network interfaces, industry standard routing and management protocols, and all of these features are configurable via a single command-line interface (CLI) or web-based graphical user interface (GUI) - avail Q3'08. The integrated features and functionality make Vyatta software ideal for SMB, Branch Office, Enterprise and Service Provider deployments.

Summary of features:
BGP, OSPF, RIP, DHCP, QoS, IPSec VPN, VRRP, PPP, 802.1Q, Complete List.

This open source router is already running on XenServer in a large service provider in Europe. We are using it in our Citrix Ready program as a multi-link Intranet with connections to the Internet along with high availability link load balancing.

This para-virtualized Vyatta image runs as a virtual appliance in XenServer v3.2.1 and v4.1.

The XenServer Platform we are using:

• Dell Poweredge 2950 server.
• 2 x Intel 64-bit Quad-Core Xeon Processors, Model E5335 @ 2.00 GHz each, for a total of 8 CPUs.
• 2 Intel 82571EB Gigabit Ethernet (on-board)
• 2 Broadcom NetXtremeII Gigabit Ethernet
• 16 GB of memory.
• 300 GB of Storage.
• XenServer v4.1
• *note: CPU's must support virtualization technology.
  
  
  
  
  
  

Virtual Router - Install:

Virtual Router - Config:

Tap into the power of AppExpert.

The views expressed here are mine alone and have not been authorized by, and do not necessarily reflect the views of, Citrix.

Typically, an admin that implements the Access Gateway Enterprise Edition(AGEE), find themselves deciding how to lock down the environment that the users will connect to.  I have been asked many times what the "Best Practice" would be to restrict or allow access to their users.  What I like to explain is that the normal security guidelines come into play first, however each environment can differ based on company security policies and application delivery goals. 

What I like most about the AGEE, aside from multiple vServers, automated failover, enterprise scalability, policy control, etc.. is the flexibility to provide secure remote access to Presentation Server applications without using a "VPN" client. The AGEE's is called the Secure Access Client(SAC).  The SAC is there if needed, and all of the granular access policies can be applied to the full "VPN" tunnel.  The flexibility to give users access to just Presentation Server application and/or a full desktop experience is only outdone by the ease and flexibility of the policies that can determine the users logon session environment.......  This is called SmartAccess and it gets performed via the AGEE appliance itself.

Bottom line with using policies is to make sure you start with a solid design.  Included in that design should be what kind of users will be connecting and what resources they will need access to.  From there, you will need to decide on if you need to run Pre-Authentication Policies to grant/deny access to the logon page as well as determining other features that the users will have during their session.  In addition, you will need to determine if you need to setup any policies to run End-Point Analysis after their credentials are entered to filter Presentation Server applications and/or grant/deny access to other resources, including the entire session.

This is just the beginning, there are many other features provided by the AGEE as well as many different combinations of how to apply policy and dynamically create the users logon environment when connecting via the AGEE.  I hope after reading this, you too will be excited about the power and flexibility of the AGEE and remember to keep in mind how important an initial design is to maximize the AGEEs full potential.