Carl, We evaluated the 4.0 code. Regards, Rob -----Original Message----- From: Carl Stalhood [mailto:cstalhood@xxxxxxxxxxxxx] Sent: Thursday, June 02, 2005 2:45 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Citrix Access Gateway What version of the AG software did you eval? Was it AG 4.0 or AG 4.9? Kiosk mode is different in AG 4.0. Note that AG 4.0 is newer than AG 4.9. _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Armstrong, Robert Sent: Thursday, June 02, 2005 1:02 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: Citrix Access Gateway Jonathan, Just got done with a 30 day eval. Impressive product. We had great success with it and I anticipate buying it. I haven't made a decision however, because at the moment we're now evaluating another SSL VPN called Base5 from Permeo (http://www.permeo.com <http://www.permeo.com> ) You should evaluate both products as both have their strengths. The CAG was relatively easy to install. The administration console is not real intuitive, but after some time working with it, it's not too bad (a little kludgy). It could use a little work. The CAG uses two access modes (one called the Full Access Client and the other Kiosk mode). Full access mode allows you establish an SSL tunnel with the AG. It requires a client which gets installed upon initial contact with the AG. Kiosk mode allows the user to establish a virtual session right on the AG appliance. The actual session processing takes place on the AG and consumes resources on the AG (memory, CPU, etc) The Kiosk mode was not very well liked by our users, but could be the only option for them if they are using non windows clients or are on a machine that does not permit them to install software. Full Access Client is the way to go and it worked very well. Performance was very good and we could access almost anything behind the gateway. We could access Terminal Servers (RDP), Citrix Servers (ICA), Citrix publications, Intranet sites, file shares, etc as if we were connected locally. No complaints. One very very nice feature offered by the AG is the ability of the remote user to share his desktop. A remote user requiring support can send an invitation to a helpdesk rep and the helpdesk rep can accept the invite and connect directly to the remote users desktop. This is probably going to be one of the big deciding factors for us. The ability to easily take control of the remote users desktops will greatly reduce the amount of time and effort our support staff spends on the phone with the remote users. The CAG offers host side checking and can make sure the host meets certain requirements before it is permitted to extablish a tunnel. The only problem we had was getting the client installed and working on some workstations. The Base5 product is very nice too and actually offers a very impressive admin interface and offers the ability to get very very granular in terms of providing access to and securing resources. For example, you can configure the following policy: Permit UserGroupA, between the hours of 8:00 am and 5:00 pm EST, to access CITRIX Server A via the Citrix ICA Client version 8.0.x.x having an MD5 checksum of x and using port 8010. The host must also be running NAV and must have a registry entry matching x. If the host is running Kazaa client, deny the session. If the host launches Kazaa after the session has been established, terminate the session immediately. It's really very cool how granular you can get with your security policies. I was very impressed at the ease of use. Installation was very simple. The Base5 product runs on a hardened linux kernel and gets installed on whatever server you choose (as long as you can get Linus running on it. You do not have to have linus knowledge. The install is containd on a single bootable CD and fires up. Once the OS and Base5 has been installed, it runs you through a set of configuration wizards to define some basic policies and in about 15 minutes you have a fully functional SSL tunnel server. The Base5 client (called the CONNECTOR) is downloaded each time a client logs in. The client is self contained and is removed once the session is terminated. We no problems getting this client installed on any of the client machines we tested with (Only Win2000, WinXP, and Windows 2003 server clients are supported). However, Base5 does offer SOCKS proxy for non windows clients, but the policies are not enforced (don'y know to what degree as I did not test this feature to date). One drawback and unlike the CAG, a client cannot map a network drive letter. Any access to file shares has to be through WebDAV (using MS Web Files components). This is not too big of a problem and can, in most cases, be worked around quite easily. The other disappointing thing is the inability to get remote control of the remote client session. I'm really torn between the two alternatives. Both worked great. Both are a wash in terms of pricing (cooincidence??). I'd like to buy both! I hope this helps. regards, Rob -----Original Message----- From: Jonathan Kadoo [mailto:jkadoo@xxxxxxxxxxxxxx] Sent: Tuesday, May 24, 2005 3:15 PM To: Thinlist Subject: [THIN] Citrix Access Gateway Hey everyone, we are looking into getting the above product and I was wondering if anyone has any experience with it. We are having a lot of issue with our users being at a customer site and not being able to connect to the office. The customer sites usually have some firewall that is blocking citrix ports. I am hoping that we could use the gateway product to get around this issue. Any insights would be greatly appreciated Jonathan _____ This message may contain confidential and/or privileged information. If you are not the intended recipient or authorized to receive this for the intended recipient, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by sending a reply e-mail and delete this message. Thank you for your cooperation. _____ This message may contain confidential and/or privileged information. If you are not the intended recipient or authorized to receive this for the intended recipient, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by sending a reply e-mail and delete this message. Thank you for your cooperation.