1 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
MAY 15, 2017
Netscaler统一网关与安全访问解决方案
曹进
Networking Sales Engineer
2 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
新的应用与设备趋势创造新的挑战
使用个人设备
IT 追求敏捷性可视性与监控
应用正移动到云端
7 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
新应用趋势的典型企业状况
• 多个URLs做不同的登入
• 多次认证
• 不一致的用户体验
• 不一致的策略配置与管理
• 缺乏集中化统一监控与告警
网路应用的Load Balancer
企业应用的SSLVPN
虚拟应用桌面的Secure Gateway
SaaS应用的Web Gateway
MAM应用的Mobile Gateway
8 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
NetScaler Unified Gateway为所有的应用提供单一的URL作登入…
用户
SmartPhone
VDI
SaaS
Web Apps
Client /Server
• 合并使成本降低高达50%
• 更容易管理
• 集中方式提高效率
• 轻松执行合规性,减少攻击
• 支持所有终端用户设备
• 完整的端到端可视性
9 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
…并在所有应用程序中启用单点登录
用户与单点登录
SmartPhone
VDI
SaaS
Web Apps
Client /Server
• 单点访问所有应用程序
• 在本地保留用户身份资料
• 安全的访问管理,对所有应用程序精细和一致的访问控制
• 更好的用户体验,提高了生产效率
SAML 2.0, OAuth
10 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
Unified Gateway用例
11 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
用例一: Unified Gateway提供对Citrix XenApp和XenDesktop的安全和远程访问
• 为Citrix XenApp / XenDesktop应用程序提供集中的访问控制策略管理
• 唯一产品能为XA / XD流量提供完整的可视化和监控工具
• 唯一产品能为XA / XD提供自适应访问控制策略
• EPA扫描最终用户设备
• 第三方单点登录
• 单一门户发布应用程序
• 基于用户,用户位置,或正使用的设备等,进行nFactor认证
• 与StoreFront集成; 允许将StoreFront UI的更改导入到Gateway Portal UI,反之亦然
12 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
用例二: Unified Gateway提供对Web和Enterprise应用程序的安全和远程访问
• 提供对Web和企业级应用程序的安全远程访问,如:
–ERP/CRM applications
–SharePoint applications
–Network file share etc.
–OWA
• 提供对这些应用程序的监控(Web Insight和Gateway Insight)
• Always-On提供始终连接的体验
• 基于用户,用户位置,或正使用的设备等,进行nFactor认证
• 支持Windows,MAC,Linux,iOS和Android
• 和第三方单点登录
• 单一和可定制的门户发布应用程序
13 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
用例三:Unified Gateway提供安全和远程访问云和SaaS应用
• 为云和SaaS应用程序提供AAA-TM监控
–SalesForce
–Office 365
–Etc.
• 第三方单点登录
• 提供对这些应用程序的监控(Web Insight和Gateway Insight)
• Always-On提供始终连接的体验
• 集中访问控制策略
• 单一门户发布所有云/ SaaS应用程序
14 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
用例四:Unified Gateway与XenMobile和Intune无缝集成
•与Citrix XenMobile和MS Intune无缝集成
•适用于XM和Intune的Per-App VPN(MicroVPN)
• EPA扫描最终用户设备
•单一发布应用程序的门户
15 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
LB V-Server(Reverse Proxy)
LB V-Server(Reverse Proxy)
Content Switching plus Gateway
CS V-Server
LB V-Server(Reverse Proxy)
Gateway V-Server
SAML SSO
SSOOne URL,One IP, Login Once
Citrix Apps
OWA
SharePoint
NetScaler Unified Gateway –功能逻辑
OneBug Backstage
Single Point of Authentication
/OWA /tmtrack /…
SSO
SSO
16 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
安全访问,单点登录
17 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
身份认证和访问管理Authentication, Authorization, Auditing 认证,授权,审核
客户
服务器
LDAP Radius Cert
SAML Kerberos
WebAuth OAuth
RSA
NTLM
401 SAML
Form-based
KCD
Kerberos
Basic/Digest NTLM
• 灵活 • 可扩展 • 强大
18 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
保持用户身份在内部(on-premise)
1. Unified Gateway User Logon
2. NetScaler authenticates user against AD where the UG portal is returned with the O365 Apps
3. User clicks on the app to request access
4. O365 redirects user to SAML IdP (NetScaler AAA)
5. NetScaler redirects caller to SAML SP ACS (AAD) without prompting user due to existing session
6. SAML SP ACS (AAD) checks SAML assertion and redirects caller back to resource
7. Resource access granted
DirSync
AD
AAD
1 23
4
5
6
7
NetScaler as SAML IDP
• SAML SP和IDP功能
• 能与所有知名的IDP提供商整合
19 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
• 动态认证流程
–Policy-based auth factor selection and presentation
• 可扩展到any number of factors
• 动态生成每个authtentication factor的内容
• XML-defined UI generation using “LoginSchema”
nFactor for Gateway 提高应用程序的安全性用于任何类型用例的最灵活的认证基础设施
Gateway
2nd
factor
Policy-1
1st
factor
3rd factor
fail
pass
20 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
•基于EPA的验证因子选择认证
• domain / auth-methods / preferences等的下拉菜单。
•同一网关上具有不同多类用户(例如:员工和合作伙伴)要求的认证
•使用不同标签,就不同因素而更改的登录页面
基于nFactor的网关用例可以满足高度复杂的用例
21 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
Always-On 保持连接位置感知的自动VPN,以获得最佳的安全性和用户体验
Corporate Network
•无缝终端用户体验
•对被管理设备的严格控制
•位置感知
•灵活的配置模式,适合广泛的用例
22 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
• “所有应用程序”通过一个网关
• 5 1合并
• 单一 URL
• 虚拟应用桌面的整合
• 可视性
• 较低TCO
• 一致性
NetScaler with Unified Gateway
NetScalerWith
Unified Gateway
23 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
监测与分析
24 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
NetScaler MAS
users apps
AppFlow data from NetScaler to Insight centre
Insight centre
HDX Insight Web Insight
User and app data(reports, graphs, tables,
etc.)
Gateway Insight
• 用户体验的可视性
• 网关用户会话信息
25 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
报告能力
Endpoint Analysis(EPA)
Single Sign-On(SSO)
Authentication App Launch Session Termination
Access Modes Network Web Virtual Apps & Desktops
26 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
• 提供对所有应用程序流量的监视–Virtual apps and Desktops
–Cloud applications
–On-Premise applications
• 提供与任何用户访问相关的数据,如:–EPA failures
–Single Sign-On failure
–Application launch failures
–Incorrect/Expired password issues
–Etc.
Gateway Insight
监控用户的远程访问体验Reporting
27 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
Time bound summaries
28 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
Visibility into errors and EPA methods
29 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
Troubleshoot user authentication errors
30 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
Troubleshoot single sign on issues
31 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
Troubleshoot application launch issues in HDX sessions
32 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
友好的界面
33 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
门户介面定制
Background image
Header logo & Position
Brand logo
Logon button logo
Field titles & font
Form Title
34 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
Major customizable parameters. Includes CSS styling which will be consistently applied to all pages. Individual pages labels are also customizable.
门户介面定制
35 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
RfWeb UI on Gateway 提供一致的用户体验Easy to manage changes in UI
36 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
许可概述
37 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
Feature License
Unified Gateway
NetScaler Platinum ✔
NetScaler Enterprise✔
NetScaler Standard ✗
NetScaler Gateway ✗
Unified Gateway –许可要求
38 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
NetScaler EditionNetScaler Gateway
Universal License entitlement
Standard 500
Enterprise 1000
Platinum Not Required
Universal Licenses 定价和套餐更新Price competitive SSL VPN
• 11.1-49.16 build以上
• 具有XenApp和XenDesktop Platinum的CCU不能用于SSL VPN用例
39 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
总结
40 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
远程访问的精细控制远程访问会话 后端/数据中心连接
Endpoint analysis
• Pre-authentication
• Post-authentication
• OPSWAT
Authentication
• LDAP/RADIUS/TACACS+/Local
• SAML/Kerberos/NTLM/Certificate/OAuth• Cascading/multi-factor
Session
• Per user/per-session behaviour
• Policy-based granularity
Single Sign-On
• 401/form-based
• SAML/KCD• Selective public-IP SSO
Authorization
• Global/group/user-level control
• Blacklist/whitelist behaviour• L3-L7 based policy support
Traffic
• Per-request level behaviour definition
• Selective enable/disable of proxy/SSO• App-level timeouts
End-to-end
• 记录
• 可视性
• 安全
41 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
Unified Gateway 方案提高最终用户体验,集中管理身份和基础架构,提供可视性
•Unified Gateway•Enterprise / Web apps
•Mobile apps
•SaaS/Cloud apps
Multi-hypervisor support
•最佳认证支持
•丰富的政策框架
巩固集中
TCO ↓
• 云服务
• 所有应用的可视性
• 上下文安全策略
• 多步认证
优势
•最佳用户体验
•上下文安全策略
•最佳的效能
XenApp & XenDesktop
集成
•最佳用户体验
•集中测略
•安全终端用户设备
•支持所有终端用户设备
竞争
42 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
• 实现如下功能,你需要多少不同的厂商?–Remote Access (SSL VPN)
–Single Sign-On to Web and SaaS applications
–Proxy to VDI applications like Citrix XenApp/XenDesktop
• 在现有的情况下,你的企业有多少厂商?–1
–2
–3
–4
–多于4
投票问题
43 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
快速发展的NetScaler社区
And many more blogs: netscalerrocks.com , msandbu.wordpress.com , www.ingmarverheij.com , www.carlstalhood.com, ilovenetscaler.com ,
blog.norz.at , Citrix Blogs
44 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA
Q & A
45 © 2017 Citrix | Summit 2017 | Confidential – Content in this presentation is under NDA