There's recently been a fair amount of discussion on security and Presentation Server installation, with some insightful responses (see Brian Madden's blog entry). One point about the original posting: it was concerned with attacks from authenticated users only. An Internet attacker has to jump the authentication hurdle first. That's why strong authentication is so important for Internet-facing deployments.

The book Citrix Access Security for IT Administrators (ISBN-13: 978-0-07-148543-2) is a great resource for planning and securing your setup. Several Internet-facing configurations are described. It doesn't cover everything: we had to leave out Access Gateway because it didn't fit the editorial timetable; and those with specific regulatory requirements will also want to refer to the Common Criteria documentation, and the Security Standards and Deployment Scenarios documents, at https://www.citrix.com/security.

And yes, this edition of the book covers Presentation Server 4.0. We'd love to do a second edition for Presentation Server 4.5 and later. Getting into print is a lot of work, so we'd like to know first whether you like this kind of security material in book form, or delivered some other way. The Common Criteria documentation and the Security Standards and Deployment Scenarios document are already posted for Presentation Server 4.5. Let us know your thoughts.

Also, since this book was written, we launched the Citrix Ready program. Take a look at the Citrix Ready Products Guide for third-party information - there's a section for security products.

Finally, consider whether SmartAuditor is a good fit to your organization. It's a powerful tool for addressing the risks from authenticated users. At this time, it is a feature of the Platinum Edition of Presentation Server - see Citrix Presentation Server Editions.

Who offers the "Best Identity Management Solution" on the market today? It will surprise some (who haven't yet seen the press release) to learn that the over 750 software industry vendors who make up the Software & Information Industry Association (SIIA) recently gave this accolade to a company much better known for application virtualization, namely Citrix. In fact, in this year's prestigious CODiE awards, Citrix Password Manager - our solution for centralized password management and Enterprise Single Sign-On (ESSO) to Windows, Web and host-based applications -  won in two categories: "Best Identity Management Solution" and "Best Data Security Solution". That's a strong hint of the value of this product in today's IT environment and a further confirmation of what Gartner concluded in their MarketScope for Enterprise Single Sign-On, when out of 13 vendors evaluated, only Citrix received Gartner's coveted "Strong Positive" rating. But it might lead you to ask, Why isn't Citrix better known as an identity management vendor?

Citrix's important role in the Identity & Access Management (IAM) space is often overshadowed by our pre-eminent position in Application Delivery (application virtualization, application streaming, desktop streaming, web app optimization, etc.). From our perspective, identity management technologies like automated sign-on, password policy enforcement, self-service password reset, and application access control (SmartAccess™) are all part of the complete Application Delivery equation, simplifying the end user's access experience while improving IT security and regulatory compliance. That's why Citrix Password Manager is available not only as a standalone product; it also powers the single sign-on capabilities of Citrix Presentation Server Platinum Edition. Identity & Access Management is all about controlling access to IT resources based on the authenticated identity of the user, and that's a key aspect of Application Delivery in the enterprise.

Similarly, you might not have categorized Citrix as a data security company, yet Citrix Password Manager won the award for "Best Data Security Solution". Clearly, data security is also a critical aspect of our broader theme of Application Delivery. Password Manager is currently going through Common Criteria EAL2 Certification, which will provide further testimony to the product's strong security attributes.

So, it just comes down to your own preferred taxonomy of technologies; whether you slot Enterprise SSO under Identity & Access Management or view it as part of the broader Application Delivery problem space doesn't really matter in the end. The value comes from recognizing that Enterprise SSO is a relatively quick win for any organization whose users are faced with multiple logins and a need for tighter security practices. Without modifying application code, you can streamline access while strengthening security, even making Password Manager the gatekeeper to sensitive applications (users don't even know the passwords). Through support for standards like SAML for Federation and SPML for Provisioning, and through an extensive ecosystem of Strong Authentication vendors offering a broad array of alternatives for validating user identity, Citrix's approach to Identity & Access Management provides flexibility for the future while solving the password problems that every organization needs to address immediately.

I was fascinated by Jeff Muir's account of how the ICA web client came to be written, and also by the timing of when this happened (much earlier than I realized).  It brought home to me again the curious arc Web Interface is riding, from the early days of the Web when it was a novelty to be able to run applications from a web browser, to the point we are at now where it is getting increasingly difficult to run ICA applications from a web browser, at least with the technology we have today.  Making sure we are in a better place a few years from now concerns me, and makes me wonder if we need a step-change in technology.

We've known for some time that it is getting harder, and that people are running into more and more situations where Web Interface isn't working properly and they can't get access to their applications.  It isn't just executives using the kiosks in airports and hotels - though you can imagine how much visibility that gets when a company has just put in a shiny new Citrix system for remote access!  It also matters for customers wanting employees to be able to access critical applications from home, or from anywhere they might be stranded in a wide-scale emergency.

The problem is that security concerns have come to the fore, and browsers are increasingly trading off usability and convenience (or rather the apparent convenience you enjoy before your PC stops working for you and opts for a life making money for spammers) for better security.  Browsers themselves are including more security mechanisms like the IE Information Bar introduced by Windows XP SP2, pop-up blockers and the like have become de rigueur it seems in almost any product with an Internet focus, and security suites are hooking into almost everything that's happening on your PC to block bad behaviour.

This decline in usability unfortunately goes to the heart of the Citrix value message, that access is provided from any device over any connection anywhere.  Web Interface is the primary means we have of delivering on that promise, with the Internet and web browsers taken for granted as the ubiquitous baseline we can assume to exist (almost) everywhere.

So it's a big deal for us that WI is hitting more and more problems that undermine this essential role, and I am pleased to say we are now doing something about it.  We can still use your input and guidance though, to help ensure we are focused on the right aspects and make the right tradeoffs.

The approach we are taking is one that has been pioneered already; you can see a good example in action here.  In essence, the approach is this: accept that we cannot always accomplish what the user wants, or not always as easily or as well as the user would like.  Instead of pretending that we can always launch applications at the click of a button, and treating the small matter of ensuring the user's computer has the necessary client components and security settings as a kind of after-thought, lets make that process an essential part of the user experience.

And if we can't launch applications (for reasons beyond our control), lets be sure tell the user so clearly and promptly, so they don't waste any more time trying.  If we can say why, they also may have the chance to get something done about it; maybe convince kiosk owners to pre-install ICA clients for example.

I'm sure this is a topic that will get discussed a lot more, here and elsewhere, so for now I'll just whet your appetite with a screenshot from a prototype we've built recently which gives you a flavour of how we are intending to start following this approach in the near future. 
 
 
As I said in my initial post, this forum is an opportunity for you to give feedback directly to the Web Interface team, and there is a good chance that we will be able to act on your feedback and incorporate good ideas, if not in the next release then as soon as we can.  So, let us know what matters to you, and where you would like us to concentrate.
Cheers,
AndrewI