4.5 1 1 1 1 1 1 1 1 1 1 Rating 4.50 (2 Votes)

Moving from traditional SSL-VPN to clientless architecture

VPN have long been a trusted and popular solution for securing remote access to company resources and COVID 19 crisis highlighted the need of reliable and secure remote working solutions. However, while VPN has been a trusted solution for years, it may not always be the best fit for supporting today’s workforce and securing enterprise assets against modern threats :

  • Uncontrolled user device: For external partners, suppliers, BYO users and third party staff, using a full VPN introduces risk, as you likely do not have total control of the connection from end to end. If an administrator’s remote endpoint is compromised, with a full VPN tunnel, access is wide open for the attacker : malware could easily execute over the tunnel and propagate to others systems, stealing data or bringing your business down.

  • Mobility: Dynamically change enterprise apps exposure depending on the user context. Is the user connecting from a mobile device which can easily be lost or stollen ? Is it connecting from office? home? a foreign country ?

 

  • Full VPN client issues : Full VPN require hardware or software clients which are pretty complex to deploy by end users (byod), sometimes have compatibility issues with modern linux distro, and introduce network issues when split tunneling / split dns is required.

Moreover, traditional VPNs anchor the users to their enterprise configured devices as modern workforces are changing into highly mobile, device-flexible teams. Therefore, traditional security approaches need to change: IT can no longer FORCE the user into certain security models but needs to have security models that FOLLOW the user. Traditional VPN access models limit user flexibility and often impede productivity.

 

Clientless VPN with Citrix Gateway

Clientless SSL VPN enables end users to securely access resources on the corporate network from anywhere using an SSL-enabled Web browser without requiring any software or hardware VPN client. The user first authenticates with a Clientless SSL VPN gateway, which then allows the user to access pre-configured network resources. It provides secure and easy access to a broad range of web resources from almost any device that can connect to the Internet via HTTP.

Citrix clientless VPN access requires login on the VPN access control web page before allowing application access making this option unusable for non-browser use like git client or mobile apps. Bookmarking applications URL in browser favorites is impractical as user won’t be dynamically redirected to login page when accessing application from the bookmarked URL.

Application name masquerading is handled by Citrix Gateway to avoid information disclosure in DNS requests or SSL handshake.

 

Legacy CVPN

Application URL are encoded and reverse-proxied to https://<VPN URL>/cvpn/<application> URL. As both hostname and URI are changed (/cvpn/ added in front of every app URI), both absolute and relative application URL have to be rewritten by Citrix Gateway.

URL detection and rewriting policies can be configured using Clientless Policies and Profiles.

Serious limitations are introduced by this rewrite process which make CVPN difficultly usable with modern javascript applications.

Moreover, webdav protocols (PROPFIND) are not supported by CVPN making file sharing applications using webdav (Nextcloud,…) incompatible with Citrix Gateway CVPN.

 

Advanced CVPN

Advanced CVPN eliminates the following limitations pertaining to legacy Citrix Gateway CVPN:

  • Relative URLs cannot be identified at times.
  • Relative URLs generated dynamically by applications cannot be identified by Citrix Gateway rewrite engine.

Advanced Clientless VPN identifies the absolute URL and host names and rewrites them in a new and unique manner instead of trying to rewrite relative URLs present in the HTTP-responses headers and body.

 

Selective full-VPN access

VPN access mode is configured using session policies which can be bound on different bind points: global for the entire appliance, per vServer, user group, or user login. There is an internal Citrix Gateway priority set to cater to a session policy bound to different bind points with the same priority. The internal priority is as follows :

  1. User (has the highest priority)
  2. Group
  3. Virtual Server
  4. Global (has the lowest priority)

The parameters from the session policy with the highest priority (lowest number) regardless to the bind point will be taken into effect. That means all parameters defined at that policy will be in the effective policy set.

In case there is a tie in priority on different bind points, the internal priority (User > Group > Vserver > Global) kicks in.

Based on this session policy priority mechanism, different session policies can be applied to different user groups to effectively restrict full SSL VPN access to specific privileged user groups and/or from specific network locations or devices, reducing vulnerability of the enterprise network.