[THIN] Re: Citrix Access Gateway
- From: "Armstrong, Robert" <robert.armstrong@xxxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Thu, 2 Jun 2005 14:01:48 -0400
Jonathan,
Just got done with a 30 day eval. Impressive product. We had great success
with it and I anticipate buying it. I haven't made a decision however,
because at the moment we're now evaluating another SSL VPN called Base5 from
Permeo (http://www.permeo.com <http://www.permeo.com> )
You should evaluate both products as both have their strengths.
The CAG was relatively easy to install. The administration console is not
real intuitive, but after some time working with it, it's not too bad (a
little kludgy). It could use a little work.
The CAG uses two access modes (one called the Full Access Client and the
other Kiosk mode). Full access mode allows you establish an SSL tunnel with
the AG. It requires a client which gets installed upon initial contact with
the AG. Kiosk mode allows the user to establish a virtual session right on
the AG appliance. The actual session processing takes place on the AG and
consumes resources on the AG (memory, CPU, etc) The Kiosk mode was not very
well liked by our users, but could be the only option for them if they are
using non windows clients or are on a machine that does not permit them to
install software. Full Access Client is the way to go and it worked very
well. Performance was very good and we could access almost anything behind
the gateway. We could access Terminal Servers (RDP), Citrix Servers (ICA),
Citrix publications, Intranet sites, file shares, etc as if we were
connected locally. No complaints. One very very nice feature offered by
the AG is the ability of the remote user to share his desktop. A remote
user requiring support can send an invitation to a helpdesk rep and the
helpdesk rep can accept the invite and connect directly to the remote users
desktop. This is probably going to be one of the big deciding factors for
us. The ability to easily take control of the remote users desktops will
greatly reduce the amount of time and effort our support staff spends on the
phone with the remote users.
The CAG offers host side checking and can make sure the host meets certain
requirements before it is permitted to extablish a tunnel.
The only problem we had was getting the client installed and working on some
workstations.
The Base5 product is very nice too and actually offers a very impressive
admin interface and offers the ability to get very very granular in terms of
providing access to and securing resources.
For example, you can configure the following policy:
Permit UserGroupA, between the hours of 8:00 am and 5:00 pm EST, to access
CITRIX Server A via the Citrix ICA Client version 8.0.x.x having an MD5
checksum of x and using port 8010. The host must also be running NAV and
must have a registry entry matching x. If the host is running Kazaa client,
deny the session. If the host launches Kazaa after the session has been
established, terminate the session immediately.
It's really very cool how granular you can get with your security policies.
I was very impressed at the ease of use. Installation was very simple. The
Base5 product runs on a hardened linux kernel and gets installed on whatever
server you choose (as long as you can get Linus running on it. You do not
have to have linus knowledge. The install is containd on a single bootable
CD and fires up. Once the OS and Base5 has been installed, it runs you
through a set of configuration wizards to define some basic policies and in
about 15 minutes you have a fully functional SSL tunnel server.
The Base5 client (called the CONNECTOR) is downloaded each time a client
logs in. The client is self contained and is removed once the session is
terminated. We no problems getting this client installed on any of the
client machines we tested with (Only Win2000, WinXP, and Windows 2003 server
clients are supported). However, Base5 does offer SOCKS proxy for non
windows clients, but the policies are not enforced (don'y know to what
degree as I did not test this feature to date). One drawback and unlike the
CAG, a client cannot map a network drive letter. Any access to file shares
has to be through WebDAV (using MS Web Files components). This is not too
big of a problem and can, in most cases, be worked around quite easily. The
other disappointing thing is the inability to get remote control of the
remote client session.
I'm really torn between the two alternatives. Both worked great. Both are
a wash in terms of pricing (cooincidence??). I'd like to buy both!
I hope this helps.
regards,
Rob
-----Original Message-----
From: Jonathan Kadoo [mailto:jkadoo@xxxxxxxxxxxxxx]
Sent: Tuesday, May 24, 2005 3:15 PM
To: Thinlist
Subject: [THIN] Citrix Access Gateway
Hey everyone, we are looking into getting the above product and I was
wondering if anyone has any experience with it. We are having a lot of
issue with our users being at a customer site and not being able to connect
to the office. The customer sites usually have some firewall that is
blocking citrix ports. I am hoping that we could use the gateway product to
get around this issue.
Any insights would be greatly appreciated
Jonathan
This message may contain confidential and/or privileged information. If you
are not the intended recipient or authorized to receive this for the intended
recipient, you must not use, copy, disclose or take any action based on this
message or any information herein. If you have received this message in error,
please advise the sender immediately by sending a reply e-mail and delete this
message. Thank you for your cooperation.
Other related posts:
