Archive
Host checks/EPA scans are not for everyone – #Citrix, #NetScaler, #AccessGateway
This is an interesting blog post from Citrix… It captures a scenario that I know one of my previous customers was thinking of, so have a look at it!
The main thing that think of when reading this though is that EPA scans are NOT for everyone, I agree. And please also read my earlier posts on why it cannot be done with todays products from Citrix.
#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA
Even though the latest Receiver Receivers changed some scenarios and enables host checks/EPA scans it still doesn’t provide the full picture. But I’ll be publishing a more detailed picture on why later, some late night I’ll be able to complete it! 😉
Here you have the blog post from Tobias Frigger:
A customer of one of my Citrix Consulting colleagues recently came up with an interesting request.
Like many others they are using Citrix NetScaler’s Access Gateway Enterprise Edition module to grant remote secure remote access to applications and desktops.
Additionally, they use a client management and software distribution solution to deploy the EPA plugin to client computers and therefore wanted to suppress Access Gateway offering the EPA scan plugin for download through the browser. This introduces some additional level of control over which client is entitled to connect through Access Gateway.
An approach restricting certain user groups from logging in by using group memberships is a more common scenario, but in this case the customer intended to restrict the end points and not the users. When end users lack administrative permissions to install custom software, preventing the download is indeed an effective measure.
A job for Citrix Consulting!
As you know, Access Gateway Enterprise Edition offers two ways of running Endpoint Analysis (EPA) scans – before and after authentication. Consequently, there are two procedures.
The formal requirements
- Remove the download button displayed when accessing the AGEE virtual server and the plugin is not detected by the browser or if the plugin is outdated
- Alter the message text such that it refers user to contact their system administrator if they think the plugin should be installed.
- When using a post-authentication EPA scan, add a “logout” button.
Backup
As a precaution, we want to make backup copies…
Continue reading here!
//Richard
New Citrix Access Gateway Release – #AG, #SmartAccess, #Receiver, #Citrix
Ok, just as we expected there is now a new release of Access Gateway that goes hand in hand with the new Receivers as I wrote about in the following posts:
Receiver for Windows 3.4 released
Receiver for Mac 11.7 Released
And of course as you could read in the first post above there are great improvements of the end-user experience when accessing resources, now you have ONE login for both the Receiver and to the Access Gateway plugin. And as that posts also highlights is the support for host check (EPA scans) on Receiver use cases as well! Finally! 😉
More info on the new Access Gateway release 10.0.71.6014.e below:
With the release of Citrix CloudGateway 2.5, comes the release of Citrix Access Gateway 10.0.71.6014.e. Citrix CloudGateway as you are aware, is the Citrix Enterprise Mobility offering, complete with Citrix Receiver running enterprise applications on the end point, Citrix Storefront running your enterprise app store, Citrix AppController running your mobile policy management and Citrix Access Gateway providing remote access to all this infrastructure.
With every CloudGateway release, Access Gateway continues to build incredible integration and smart abilities, which makes it the de-facto remote access solution for your CloudGateway deployments. Access Gateway is the only remote access solution today, which can offer seamless Receiver configuration using Email based discovery and provide intelligent integration with Storefront and AppController, to provide single sign-on to all your enterprise applications.
With this new release, Citrix Access Gateway will be able to provide the following value additions in your CloudGateway deployments:
- Seamless Desktop Receiver experience: With this release of Access Gateway, end users will no longer have to sign into their Access Gateway plug-ins as a manual step, to access apps / sites that require a full SSL tunnel. Receivers automatically launch a SSL VPN session via Access Gateway as needed. Result is – end user just deals with Citrix Receiver and Receiver internally (and automatically) deals with Access Gateway on user’s behalf.
- EPA with ICAProxy / CVPN: Receivers can now seamlessly launch AG plug-ins to connect to an Access Gateway vServer configured with End Point Analysis policies, in ICAProxy and CVPN modes as well. Earlier, this was supported only for Full Tunnel access.
- Session Sharing: Receiver and AG plug-in have always been two separate entities, and because of that, they establish two parallel sessions with Access Gateway. With this release, we have added the smarts in our Receiver and Access Gateway integration, to understand each other, and be able to share the same session with Access Gateway appliance. Good News – this now leads to simplified access from end user perspective, and optimal session/license consumption from Administrator perspective.
- Device Wipe/Lock support for AppController: With CloudGateway 2.5, AppController is launching the ability to register and track mobile devices via AppController. These registered mobile devices can then be locked / wiped, if the..
Continue reading here!
//Richard
#Citrix #Receiver 3.4 and 11.7 = is the #SmartAccess story more real now? – #CloudGateway, #AGEE, #NetScaler, #StoreFront
Citrix has now released version 3.4 of the Receiver for Mac and Windows, but what is the main added value with this release?
First of I’d like to ask you to review my previous post where I questioned the Citrix SmartAccess story that I believe is not there end-to-end and that really is a lacking feature for scenarios where you’d for instance want to support more BYOD models etc. You need to determine the person accessing the service and also what what type of device it is, trusted or not etc. And I in the previous post I argued that Citrix doesn’t deliver according to their SmartAccess story;
#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA
And for you that haven’t read about the new Receiver 11.7 or OS X and 3.4 for Windows check these posts:
Receiver for Windows 3.4 released
Receiver for Mac 11.7 Released
The table below is from the previous SmartAccess post and my theoretical review right now is that the SmartAccess story for Windows and Mac OS X clients have improved. As you can see in the two rows for Receiver 3.3 and 11.6 where you would access through a Receiver through an AGEE you would NOT be able to perform host checks using the EPA scans.
This was just not possible though the native Receiver didn’t have that capability to trigger the EPA scans. And the EPA plugin itself was not available in the native Receiver on the OS X, it was bundled into the Access Gateway plugin.
| Client | Access method | EPA/Host-check possible on AGEE | Comment |
| Windows with Citrix Receiver for Windows 3.3 | Receiver 3.3 | NO | You’ll never be able to do host-checks on this device if Receiver access is used due to that the Receiver does not have EPA scan capabilities. |
| Windows with Citrix Receiver for Windows 3.4 | Receiver 3.4 | YES | Now when the Receiver is communicating with the Access Gateway plugin and shares login credentials then you can leverage the AGEE plugin to perform EPA scans and then allow different session policies and profiles depending on the EPA scan result, and at the same time of course also pass that through to StoreFront/WI and into XenApp/XenDesktop.It does however then require that you get the AGEE plugin installed on the devices, which may be another dilemma… |
| OS X with Citrix Receiver for Mac 11.6 | Receiver 11.6 | NO | You’ll never be able to do host-checks on this device if Receiver access is used due to that the Receiver does not have EPA scan capabilities. |
| OS X with Citrix Receiver for Mac 11.7 | Receiver 11.7 | YES | Now when the Receiver is communicating with the Access Gateway plugin and shares login credentials then you can leverage the AGEE plugin to perform EPA scans and then allow different session policies and profiles depending on the EPA scan result, and at the same time of course also pass that through to StoreFront/WI and into XenApp/XenDesktop.It does however then require that you get the AGEE plugin installed on the devices, which may be another dilemma… |
Receiver for Windows 3.4 released
About Receiver for Windows 3.4
Citrix Receiver for Windows provides users with self-service access to resources published on XenApp or XenDesktop servers. Receiver combines ease of deployment and use, and offers quick, secure access to hosted applications, desktops, and data. Receiver also provides on-demand access to Windows, Web, and Software as a Service (SaaS) applications. You can use it for Web access or configure it for use with Citrix CloudGateway.
What’s new
Citrix Receiver for Windows 3.4 (CitrixReceiver.exe) provides the following new features and enhancements.
- Single authentication to the Access Gateway:
- Use of a single session for both VPN and clientless access so that a Receiver user logs on once for both types of access and consumes only one license. This feature requires StoreFront.
- Automatic routing of ICA traffic through the Access Gateway ICA proxy for optimal user experience.
- Automatic start-up of a VPN tunnel when a user logs on. This feature requires that you disable the Single Sign-On with Windows setting on the Access Gateway.
- Support for Access Gateway SmartAccess controls.
- Improved logon and logoff operations:
- Users are prompted to log on to Receiver only when a logon is required. Actions that require a log on include starting an app from Receiver or the Start menu, using the Refresh Apps command, viewing or searching for apps, or adding an account. A user is logged on only to the account associated with the requested resource.
- Users remain logged on until choosing to log off or exit Receiver, roam from the internal network to an external network, or delete passwords.
- A VPN tunnel is established when a remote user performs an action that results in a logon. Internal users are logged on to StoreFront.
- Support for Windows 8. You can use Receiver for Windows 3.4 on Intel-based Windows 8 devices. (Receiver for Windows 8/RT is available on the Windows App Store for ARM-based Windows 8 devices.)
- Support for Windows Server 2012 R2, 64-bit edition.
- Support for Project Thor Technical Preview (XenApp Connector). Receiver for Windows 3.4 can be used with Project Thor Technical Preview to deliver apps with Microsoft System Center 2012 Configuration Manager.
- Usability improvements, including:
- App and desktop Start menu shortcuts are no longer copied to other devices, enabling users to control the location of shortcuts on each of their devices.
- The Request button is removed. Users can now simply click to add an app and, if a request for permission to add the app is required, a dialog box appears.
- Arrow keys can be used to navigate search results.
- Users will experience fewer dialog boxes when adding and removing apps.
- Error messages and certificate warnings are clearer.
- Users can reset Receiver to factory defaults. For information of preventing user resets, see http://support.citrix.com/article/CTX135941 in the Citrix Knowledge Center.
- Support for session pre-launch. The session pre-launch feature reduces launch times for applications delivered through Web Interface sites.
- Support for ShareFile StorageZones. Receiver for Windows supports both ShareFile-managed cloud storage and on-premises StorageZones.
- Upgraded FIPS support. Receiver for Windows 3.4 supports certificates with a minimum public key of 2,048-bit RSA and a SHA256 signature hash algorithm.
Receiver for Windows Enterprise
The Receiver for Windows Enterprise 3.4 package (CitrixReceiverEnterprise.exe) provides the following enhancements:
- Support for smart card single sign-on for Windows 7 devices. When used with Web Interface, Receiver for Windows Enterprise 3.4 enables smart card pass-through authentication from Windows 7 devices.
- Support for Fast Connect. Fast Connect provides the necessary technology for partners to rapidly authenticate users to Citrix sessions or desktops.
For information about Receiver for Windows Enterprise, including compatible systems, refer to the Receiver for Windows 3.2 documentation in Citrix eDocs.
#Citrix #SmartAccess = A complete story or not? – #NetScaler #AGEE #EPA
This little blog post is about Citrix SmartAccess. I’ve been a fan of SmartAccess for a long time, and it’s also something that Citrix has been talking a lot about in their story. The way that Citrix technology can provide applications, desktops and information to end-users on any device in a secure and controlled way.
But the purpose of this blog post is to give you my view of this story, and how true the SmartAccess story is. Remember that this is my personal view and that I’ve actually not tested all my theories below so parts of it is purely theoretical at this stage.
So a bit of background first to build my case…
Citrix has been going on about SmartAccess, and it’s been true that the Access Gateway capabilities once added to Web Interface and XenApp/XenDesktop where great in terms of adding another layer of functionality that the IT supplier could use to determine how the XenApp and XenDesktop environments where accessed, and from what type of device. The device detection/classification is done through host checks (Endpoint Analysis Scans, EPA) that the Access Gateway feature provided as a pre- or post-authentication scan. This scan then resulted that either the device met the policies or didn’t, and then this policy could be leveraged by the other internal components (XenApp/XenDesktop) to control/manage which apps, desktops and functionality (virtual channels like printing, drive mapping etc.) that the end-user should get for that specific session.
And this was/is working well for certain scenarios from a technical point of view. But is it really working for the whole story that Citrix and the whole IT-industry is driving now with BYOD etc.? Think about the message that is being pushed out there today, use any device, we can control and deliver according to security policies, we can provide access from anywhere, etc…
And this is where it becomes interesting. All of a sudden then you as an architect are to take this vision that your CIO or IT-board has and realise it into manageable IT services that combined deliver a fully fledged IT delivery of Windows, Internal Web, SaaS, Mobile and Data for this great set of use cases and scenarios. Wow… you’ve got yourself a challenge mate!
This text is from the Citrix homepage about SmartAccess;
SmartAccess allows you to control access to published applications and desktops on a server through the use of Access Gateway session policies. This permits the use of preauthentication and post-authentication checks as a condition for access to published resources, along with other factors. These include anything you can control with a XenApp or XenDesktop policy, such as printer bandwidth limits, client drive mapping, client clipboard, client audio, and client printer mapping. Any XenApp or XenDesktop policy can be applied based on whether or not users pass an Access Gateway check.
So let’s start of then with going back to the SmartAccess which is the topic of this blog!
The IT Melting Pot! 