Security Dilema - ICA Proxy or Block Internet (Full SSL Tunnel) , in the Advanced Access Control / Citrix Access Gateway forum on BrianMadden.com

Hi Guys,

A security consultant has advised us to use a full SSL Tunnel in order to block Internet connectivity from external customers while connecting to our XenApp based trading farm.

I saw in the AGEE 9.0 Admin Guide that enabling the SSL Tunnel would mean turning off the ICA Proxy (Bet I'ts a NetScaler/Net6/CSG integration issues yet again).

Isn't this means that the use of the Secure Ticketing Authority is now disabled and that once an SSL VPN Tunnel has been formed from the client machine, he has direct (although encrypted) access to each and every of our XenApp servers (ICA/CDP Port of course)?

What would you choose?

 

Update - The SSL Tunnel/ICA Proxy issue has been confirmed by Citirx:

http://forums.citrix.com/thread.jspa?threadID=241656&tstart=0

 

Hi John,

John Smith:

I somehow get the feeling that this guy has never worked with Citrix or does not have any knowledge of it.

You're Absolutely Right, Commander!

They have no idea and are just drinking all the sales pitch kool aid without checking the bits behind the scenes.

You are talking about the same people who advise putting firewalls in front of NetScaler and get payed big money for these "sound" advises.

Wish you could share some battle tips :)

Anyhow the statue they are sitting on is to not allow Internet access while accessing the system. (using a full tunnel not a split tunnel). This is not a foolish notion all by itself but it will not help protect our terminal based system at all.

 

 

I think you all are missing an important issue. Security is important yes, but the business must go on. The best security is having no internet connection at all. If by taking an SSL VPN in to consideration the business sees oppertunities, automaticaly risks are introduced. For us techies these risks must be clear and we need to find a way to mitigate them. What is left of the risks after mitigation should be accepted by the business. If the company descides that split tunneling is allowed within an SSL VPN, who are we to discuss blocking it? In most cases i would recomend allowing a full SSL VPN tunnel only to machines the company can trust as being well protected, while clientless access is more suited for less trusted machines.

The business can only determine what type of secured access is necessary based upon technical advice. It will not be a good decision to open full SSL VPN inconjunction with Access Gateway due to the pupose of what this product does. The Access Gateway serves it purpose when it comes to security by providing access to specific Citrix servers. With the cool feature of endpoint analysis the security for the corporate environment is quite high.

Therefore preventing full SSL tunneling in the network becomes an un-necessary decision. I understand your point about the emphasis of having SSL VPN but the purpose it serves needs to be more explicit.

If you want to block users from accessing external websites, you can create a policy with bogus IP's in all your protocols and ports.  Then add exclusions for your internal web applications.  Works great through my netscaler.