[THIN] Re: Citrix Access Gateway
- From: "Carl Stalhood" <cstalhood@xxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Thu, 2 Jun 2005 13:44:53 -0500
What version of the AG software did you eval? Was it AG 4.0 or AG 4.9? Kiosk
mode is different in AG 4.0. Note that AG
4.0 is newer than AG 4.9.
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Armstrong, Robert
Sent: Thursday, June 02, 2005 1:02 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Citrix Access Gateway
Jonathan,
Just got done with a 30 day eval. Impressive product. We had great success
with it and I anticipate buying it. I
haven't made a decision however, because at the moment we're now evaluating
another SSL VPN called Base5 from Permeo
(http://www.permeo.com)
You should evaluate both products as both have their strengths.
The CAG was relatively easy to install. The administration console is not real
intuitive, but after some time working
with it, it's not too bad (a little kludgy). It could use a little work.
The CAG uses two access modes (one called the Full Access Client and the other
Kiosk mode). Full access mode allows you
establish an SSL tunnel with the AG. It requires a client which gets installed
upon initial contact with the AG. Kiosk
mode allows the user to establish a virtual session right on the AG appliance.
The actual session processing takes
place on the AG and consumes resources on the AG (memory, CPU, etc) The Kiosk
mode was not very well liked by our
users, but could be the only option for them if they are using non windows
clients or are on a machine that does not
permit them to install software. Full Access Client is the way to go and it
worked very well. Performance was very
good and we could access almost anything behind the gateway. We could access
Terminal Servers (RDP), Citrix Servers
(ICA), Citrix publications, Intranet sites, file shares, etc as if we were
connected locally. No complaints. One very
very nice feature offered by the AG is the ability of the remote user to share
his desktop. A remote user requiring
support can send an invitation to a helpdesk rep and the helpdesk rep can
accept the invite and connect directly to the
remote users desktop. This is probably going to be one of the big deciding
factors for us. The ability to easily take
control of the remote users desktops will greatly reduce the amount of time and
effort our support staff spends on the
phone with the remote users.
The CAG offers host side checking and can make sure the host meets certain
requirements before it is permitted to
extablish a tunnel.
The only problem we had was getting the client installed and working on some
workstations.
The Base5 product is very nice too and actually offers a very impressive admin
interface and offers the ability to get
very very granular in terms of providing access to and securing resources.
For example, you can configure the following policy:
Permit UserGroupA, between the hours of 8:00 am and 5:00 pm EST, to access
CITRIX Server A via the Citrix ICA Client
version 8.0.x.x having an MD5 checksum of x and using port 8010. The host must
also be running NAV and must have a
registry entry matching x. If the host is running Kazaa client, deny the
session. If the host launches Kazaa after the
session has been established, terminate the session immediately.
It's really very cool how granular you can get with your security policies. I
was very impressed at the ease of use.
Installation was very simple. The Base5 product runs on a hardened linux
kernel and gets installed on whatever server
you choose (as long as you can get Linus running on it. You do not have to
have linus knowledge. The install is
containd on a single bootable CD and fires up. Once the OS and Base5 has been
installed, it runs you through a set of
configuration wizards to define some basic policies and in about 15 minutes you
have a fully functional SSL tunnel
server.
The Base5 client (called the CONNECTOR) is downloaded each time a client logs
in. The client is self contained and is
removed once the session is terminated. We no problems getting this client
installed on any of the client machines we
tested with (Only Win2000, WinXP, and Windows 2003 server clients are
supported). However, Base5 does offer SOCKS proxy
for non windows clients, but the policies are not enforced (don'y know to what
degree as I did not test this feature to
date). One drawback and unlike the CAG, a client cannot map a network drive
letter. Any access to file shares has to
be through WebDAV (using MS Web Files components). This is not too big of a
problem and can, in most cases, be worked
around quite easily. The other disappointing thing is the inability to get
remote control of the remote client session.
I'm really torn between the two alternatives. Both worked great. Both are a
wash in terms of pricing (cooincidence??).
I'd like to buy both!
I hope this helps.
regards,
Rob
-----Original Message-----
From: Jonathan Kadoo [mailto:jkadoo@xxxxxxxxxxxxxx]
Sent: Tuesday, May 24, 2005 3:15 PM
To: Thinlist
Subject: [THIN] Citrix Access Gateway
Hey everyone, we are looking into getting the above product and I was wondering
if anyone has any experience with it.
We are having a lot of issue with our users being at a customer site and not
being able to connect to the office. The
customer sites usually have some firewall that is blocking citrix ports. I am
hoping that we could use the gateway
product to get around this issue.
Any insights would be greatly appreciated
Jonathan
_____
This message may contain confidential and/or privileged information. If you
are not the intended recipient or
authorized to receive this for the intended recipient, you must not use, copy,
disclose or take any action based on this
message or any information herein. If you have received this message in error,
please advise the sender immediately by
sending a reply e-mail and delete this message. Thank you for your cooperation.
_____
Other related posts:
