Simulating a Traditional VPN Using Access Gateway with Advanced Access Control

RoyATokeshi
May 10, 2006 7:22 am

Citrix states in their article: CTX109043

Document ID: CTX109043, Created on: Mar 8, 2006, Updated: Mar 8, 2006

Products: Advanced Access Control 4.2, Citrix Access Gateway 4.2

Summary

Advanced Access Control and Access Gateway 4.2 can easily be configured to use the Secure Access Client as a traditional Virtual Private Network (VPN) client that provides secure access to all internal network resources defined by the administrator.

Overview

When setting up “VPN” configuration there are both required and optional settings to configure in Advanced Access Control - both of which will be explained in this article. If you have an existing VPN solution that you desire to mirror using Advanced Access Control it will be helpful to document these settings so that can be easily be configured in Advanced Access Control. This article assumes that Advanced Access Control has been installed and that the Access Gateway(s) are in Advanced Access Control mode and joined to your Advanced Access Control Farm. For details on either these steps reference the Citrix Access Gateway with Advanced Access Control Administrator’s Guide.

The required configurations include:

• Defining Network Resource

• An access policy that grants access to the desired Network Resources

• A connection policy that enables the launching of the Secure Access Client

• Determining and defining the appropriate Split Tunneling settings

The optional configurations include:

• Restricting the access and connection policies by Users or Groups or Filters

• Defining IP Pools

• Enabling Split DNS

Network Resources

The network resources are used to define which specific subnet ranges, Fully Qualified Domain Names (FQDN), IP addresses, and Port/Protocol combinations the Secure Access Client is either Allowed or Denied access to when connected. The administrator can chose to use the preconfigured Entire Network resource which equates to the network range 0.0.0.0/0.0.0.0 for all ports or define custom settings using the settings mentioned above.

Using the Entire Network resource provides the quickest and easiest configuration, but also opens the widest network range granting access to the entire network. Administrators should review their network and security requirements to determine if more granular access is required. If more granular access is required, custom network resources should be defined. For more detail on configuring Network Resources see the Creating Network Resources for VPN Access section of the Citrix Access Gateway with Advanced Access Control Administrator’s Guide.

Access Policies

Access Policies are used to control which network resources users are allowed and denied access to under which conditions. At least one access policy containing the desired network resources must be configured in order to configure VPN Access. The access policy should contain either the Entire Network resource or any custom network resources you wish to allow or deny access to.

In a situation where you want to explicitly Allow and Deny access to network resources separate policies will be needed; one for the Allowed resource and one for denied resources.

When custom network resources are defined and used, the Entire Network resource should not be selected because it grants access to the entire network thereby causing access conflicts with the custom network resources.

Note: The Entire Network resource cannot be deleted.

For more detail on configuring Access Policies see the Controlling Access through Policies section of the Citrix Access Gateway with Advanced Access Control Administrators Guide.

Connection Policy

Connection policies control the conditions under which the Secure Access Client is launched and the associated settings. The primary setting of concern when configuring VPN access is the Launch the Secure Access Client if access allowed setting which controls the launching of the Secure Access Client. At least one connection policy must have this setting enabled. For more information on configuring connection policies see the Creating Connection Policies section of the Citrix Access Gateway with Advanced Access Control Administrator’s Guide.

Split Tunneling

Split tunneling enables client devices to communicate with public Internet resources and your corporate network concurrently.

Split tunneling requires you to configure a list of accessible networks so that users can access corporate resources. For example an accessible network of 0.0.0.0/0.0.0.0 would grant access to the entire network. An accessible network of 10.0.0.0/255.0.0.0 would grant access to only the 10.x.x.x subnet. Your specific network and security requirements will determine which access networks to add. Ensure that any Network Resources defined earlier fall within the accessible networks range if using Split Tunneling. If this list is not defined, users cannot access any corporate resources regardless of any policies granting access.

Disabling split tunneling maximizes the security of client connections and requires no additional configuration for users to begin accessing corporate resources. When split tunneling is disabled, all network traffic sent by the Secure Access Client is routed through the Access Gateway, including traffic to public Internet Web sites.

For more information on Split Tunneling see the Configuring Split Tunneling section of the Citrix Access Gateway with Advanced Access Control Administrator’s Guide.

Optional Configurations

Restricting access and connection policies by Users, Groups or Filters

Both access and connection polices can provide further granular control with the use of Filters and User/Group access control. Both settings are optional when creating policies and can be changed at any time. For more details on these topics see the Citrix Access Gateway with Advanced Access Control Administrator’s Guide.

IP Pools

IP Pools are optional and can be used to give clients connecting with the Secure Access Client a unique IP address. A unique IP range should be set aside for this usage that does not conflict with any existing DHCP Scopes or static IP’s in use.

Note: Access Gateways require a reboot before this setting is applied.

For more detail on configuring IP Pools see the Creating Connection Polices section of the Citrix Access Gateway with Advanced Access Control Administrators Guide.

Enable Split DNS

Split DNS is an optional setting that allows the failover to a client’s local DNS setting should the remote DNS server not be available. By default Access Gateway checks a users remote DNS only.



Primary links

Custom Search

User login

Who's new

  • japhabept
  • Rullydery
  • eagenorce
  • rittaarier
  • swasseZex

Who's online

There are currently 0 users and 3 guests online.

KrissysCorner.com RuthSwensonLaw.com CreativeLizardProductions.com

DISCLAIMER:

None of this has anything to do with us, someone else is responsible for the entire thing, and we have no idea who or why. We do not know anything about it. It may be alien life forms for all we know: we haven't a clue. You cannot blame us for anything that may result from your visit. That was entirely your own personal choice, made by you of your own volition, and without our knowledge. We do not, after all, have any control over you and cannot by any stretch of the imagination be expected to accept or acknowledge, be it legally or morally, any accountability for decisions made by you on an independent basis, utilizing your own free will, and without our intervention. We are therefore in no way, shape, or form answerable to anyone for any consequences arising from the aforementioned or indeed any other actions, similar or otherwise, because it was not us that did, or did not do anything. It is not even remotely our fault, and we are in no way prepared or willing to accept any liability, not even slightly, ever. We are, in fact completely and utterly blameless, in that it is definitely not our concern, and no blame can possibly be laid at our doorstep, even if we had one, the possession of which we hereby reserve as being entirely our own free choice. The onus is not on us at all, and furthermore, never has been. The entire matter is wholly beyond our control, and completely out of our hands, each of which are washed scrupulously clean of the whole business. We are not accountable for anything at all, and we hereby categorically deny all responsibility for all that has ever, or will ever happen. Our innocence is therefore wholly beyond doubt and absolutely unimpeachable, and so cannot, under even the remotest or unlikeliest circumstances, be brought into question. By clicking either on a link on this site, clicking on a link that leads to this site, or by arriving at this site by natural or supernatural means, you are in effect accepting responsibility for the fact that it is all entirely your own fault, down to the most miniscule detail, and that you are wholly accountable for whatever outcome may arise as a consequence of the aforementioned action or actions insofar as they were undertaken personally by you on an entirely voluntary basis and without any persuasion, coercion or influence from any party or parties other than yourself. Don't come sniveling to us, we are only figments of your imagination. I also agree that if I am ever with a contributor to this website during mealtimes I agree to pay for any super-sizing of their meal, or at least a nice dessert or one of those foo-foo drinks with an umbrella or a monkey. By admitting to have seen the worthless spineless drivel on this website (also known as content)

I Agree Wholeheartedly and Without Reservation to the above. (Except maybe for that part about the monkey.)

All Your Base Are Belong To Us.

Soylent Green Is People!

Never make a bet with a Sicilian when Death is on the Line!

No. Really, I do agree.