Title: Take Control of your Users Web Browser for More Security and Easier Maintenance
1Take Control of your Users Web Browser for More
Security and Easier Maintenance
- Brian Mirrotto
- Western Region SE
- Citrix Systems, Inc.
Rob Patterson Western Region SE Citrix Systems,
Inc.
2Why Am I Here?
- Understand the Benefits of a Published Browser
- Whos publishing a web browser?
- What tools can I use to lock down
- and optimize my browser?
- Where to get Information?
3Agenda
- A Closer Look at Browsers
- Published vs. Local Browser
- Customer Examples
- How to Publish a Secure Browser on Citrix
Presentation Server
4A Closer Look at Browsers
5Enterprise Uses for Browsers
- Access Enterprise Resources
- Intranets, Portals, Partner Sites, etc
- Deliver simple browser based application access
- Research Education
- B2 Activities
6Challenges of Local Browsers
- Data Security
- Difficult to manage and maintain
- Version control, patch management
- AntiVirus, Security, Spyware, Cookies
- Different client Operating Systems and browsers
7Understanding the Benefits of a Published Browser
8Advantages of Citrix Presentation Server
- Management
- Performance
- Security
9Management
- Single consistent service model for all
applications - Central management of browser and components
- ActiveX, plug-ins, JVMs, cookies, patches
- Provide access to all clients and platforms
- Linux, Macs, Clients w/ different browsers
- Leverage shadowing helpdesk and training
10Performance
- Predictable performance on low bandwidth
connections - ICA, Mobile workers and remote offices
- Improved performance of applications
- SpeedScreen acceleration
- No client upgrades required
- Thin client support
11Doculabs Validation Study
Evaluation Goals
- Determine performance implications of deploying a
web browser through Citrix Presentation Server
rather than locally - Uncover the benefits of deploying a browser in
low-bandwidth situations - Evaluate the benefits of Citrix Presentation
Server
12Study Methodology
- Test platform contained 99 websites retrieved
from the Internet - Mercury Interactive LoadRunner
- Pages ranged form simple HTML content to complex
information portals - The average page size, including graphics, was
225 kilobytes - All tests were executed with 5 concurrent users
with 5 iterations of the tests each
13Effects of Limited Bandwidth on User Experience
Page Download Performance
Browser Deployed on Citrix Presentation Server
14Local vs. Citrix Deployed Browsers
- Citrix Presentation Server is 200 to 250 more
efficient with network bandwidth than locally
installed browsers
Total Data Transferred
Local Browser
Citrix
15Other Statistical Comparisons
16Security
- Centralize security configuration and updates
- Increase security of information assets
- No data on client
- Provide secure application access
- Over the LAN, WAN or Internet
- HIPAA, S-OX
17Centralized vs. Local Browsers
Comparison Points
- Bandwidth
- bursty vs. streaming data
- Response
- data refresh
- Security
- local browser cache
- Expense
- client development upgrades
- Productivity
- simplistic vs. robust UI
- Platform Choice
- varied browsers
- hardware requirements
18Customer Examples
19Co-Speaker Slides
- Note Co-Speaker Slides Follow
20Who is Meijer?
- Family-owned chain of supercenter stores
- 171 stores in 5 states, and 4 data centers
- 5 Citrix Presentation Server sites, currently
using application silos at remote sites - Headquarters located in Grand Rapids, MI
- Open 7x24
- Invented the "supercenter" format in 1962
21How Meijer Uses Citrix
- Presentation Server
- Single farm with 80 servers
- Silos
- Corporate
- Remote access (using web access)
- Merchandising systems (more to come)
- Stores
- Time/labor management
- Store office apps
- Warehouses
- WMS
- Warehouse office apps
22Lessons from the past
- iForum 2002
- publishing a browser
- Considered for thin-clients running WinCE or
Linux - What are they thinking?
- Me
- Analysts
23How Meijer Deploys Web Apps with Citrix
- (a.k.a. Rob Eats Crow)
- 2003
- 5 days notice
- ASP application going live
- Windows 95 desktops
- (No comments, please!)
- Completed testing and deployment in 3 days
24Meijer Deploys More Web Apps with Citrix
- 2005 - Application Suite for Major Merchandising
System Renovation - Business requirements
- Uniform application access
- Rapid application updates (rich client)
- Quick response times
- Technical issues (web)
- Problems with bad campus wiring
- WAN access for web apps with large datasets
- Client performance in remote locations
- Not All Web Apps Are Web Apps
25Benefits Realized
- With web applications on Citrix, Meijer realized
the following benefits - Better control over application version and
access - Access to internal resources from anywhere
- Better overall user experience
- Reduced network bandwidth
- Easier troubleshooting and administration
26Co-Speaker Slides
- Note End of Co-Speaker Slides
27How to Lock Down Optimize a Published Browser
28Lockdown Techniques
- IEAK and Profile Manager
- Microsoft Group Policies
- Presentation Server 4.0s AIE
- Bogus Proxy Server entry
- Security Zones
29IEAK and Profile Manager
- Internet Explorer Administration Kit (IEAK)
- Enables organization to create a custom browser
- Recommended for Solution Providers and
Application Developers - Group Policy recommended tool for managing IE on
client computers in a corporate network. - IEAK 6 SP1 latest version
30Internet Explorer Administration Kit
31IEAK and Profile Manager
- IEAK Profile Manager
- Used to change settings and restrictions after IE
already installed - Modifies INS file created with IEAK
32Microsoft Group Policies
- New in Windows Server 2003
- Group Policy Management Console (GPMC) and the
RSoP Planning mode - Windows Server 2003 SP1 contains over 609 new
Administrative Template (.adm) policy settings
33Microsoft Group Policies
34Microsoft Group Policies
35Microsoft Group Policies
36Microsoft Group Policies
37Presentation Server 4.0s AIE
- Application Isolation Environment
- New feature in Presentation Server 4.0
- Usage Scenarios
- Security
- Isolating Internet Explorer plug-ins
- Isolating Service Packs
- Restricting access to network resources
38Bogus Proxy Server Entry
39Bogus Proxy Server Entry
40Security Zones
- 4 Security Zones you can configure in IE
- Internet
- Local Intranet
- Trusted Sites
- Restricted Sites
- Used to control execution of Java and ActiveX
- IE Enhanced Security Configuration Component
41Security Zones
- Local Machine Zone configurable via Registry or
Group Policy (Computer and/or User Configuration)
42Optimization with SpeedScreen Acceleration
- Four Types of SpeedScreen Acceleration
- Browser Acceleration
- Image Acceleration
- Flash Acceleration
- Multimedia Acceleration
43SpeedScreen Acceleration
- Benefits and Characteristics
- Drastic reduction in server CPU andbandwidth
utilization - Server scalability similar to MS Office
applications - Quality of video and audio in ICA same as local
console playback - Improved ICA session interactivity
44SpeedScreen Browser Acceleration
- Requirements
- FR3 Server and 7.0 Client or Higher
- Publish with at least 16-bit High Color
- IE 5.5, Outlook 2000 or Higher, or Outlook
Express 6 - Disable Auto Image Resizing and Animations in IE
(Automatic) - Implementation
- Enabled by default
- Speedbrowse On
- Enable at Farm level or by individual server
45SpeedScreen Browser Acceleration
- Hooks in IE browser
- Images moved via separate virtual channel
- Images delivered using native image compression
- Virtual Channel is Low Priority
- Responsive Scrolling
46SpeedScreen Image Acceleration
- Lossy Image Compression
- Lossy settings impact image file size and quality
- None - 100 image quality and highest bandwidth
- Low - 95 image quality and 50 bandwidth
- Medium - 90 image quality and 30 bandwidth
- High - 80 image quality and 10 bandwidth
47SpeedScreen Flash Acceleration
- Characteristics without Flash Acceleration
- High server CPU and bandwidth utilization
- Degraded video quality and reduced ICA session
interactivity - With Flash Acceleration Enabled
- Forces Flash Player to start up in low quality
mode - Reduces amount of data sent down the wire
- Improves users session responsiveness
48SpeedScreen Flash Acceleration
49SpeedScreen Multimedia Acceleration
50SpeedScreen Acceleration Details
- Microsoft DirectShow
- The client processes media samples
- Supports Windows Media Player, and RealOne
applications - Supports MPEG1, MPEG2, WMA, MP3, and DIVX media
types - Requires MPS 3.0 or higher Advance or Enterprise
Editions - Consider dropping this slide
51Internet Explorer
- Publish Specific URL
- iexplore.exe http//www.citrix.com
- Internet Explorer in Kiosk Mode
- Use iexplore.exe -k as Shell replacement
- Alt-F4 will close the shell AND browser
52Resources
- Internet Explorer 6 Administration Kit Service
Pack 1 Deployment Guide - http//www.microsoft.com/technet/prodtechnol/ie/ie
ak/techinfo/deploy/60/en/seccont.mspx - Group Policy Settings Reference for Windows
Server 2003 with Service Pack 1 - http//www.microsoft.com/downloads/details.aspx?fa
milyid7821C32F-DA15-438D-8E48-45915CD2BC14displa
ylangen - Group Policy Management Console
- http//www.microsoft.com/windowsserver2003/gpmc/de
fault.mspx - Writing Custom ADM Files for System Policy Editor
- http//support.microsoft.com/default.aspx?kbid225
087
53Resources
- How to use Security Zones in Internet Explorer
- http//support.microsoft.com/?kbid174360
- http//www.microsoft.com/windows/ie/using/howto/se
curity/setup.mspxEKAA - How to strengthen the security settings for the
Local Machine zone in Internet Explorer - http//support.microsoft.com/default.aspx?scid833
633 - How to install Internet Explorer (IE) 6 into an
Isolation Environment - http//support.citrix.com/kb/entry!default.jspa?ca
tegoryID618externalIDCTX106085fromSearchPaget
rue
54Final Thoughts
- Comparison of Published vs. Local Browser
- Benefits of deploying a Browser on Citrix
- Meijer Stores and Real World Challenges
- Tools and Resources for Published Browser
- Use the tools to build yours now!!!
55Before you leave
- Recommended related breakout sessions
- Session surveys are available online at
www.citrixiforum.com Tuesday, October 11 (please
provide feedback) - Breakout session handouts are located at the
Breakers Registration Desk South
56(No Transcript)