Take Control of your Users Web Browser for More Security and Easier Maintenance

1
Take Control of your Users Web Browser for More
Security and Easier Maintenance

• Brian Mirrotto
• Western Region SE
• Citrix Systems, Inc.

Rob Patterson Western Region SE Citrix Systems,
Inc.
2
Why Am I Here?

• Understand the Benefits of a Published Browser
• Whos publishing a web browser?
• What tools can I use to lock down
• and optimize my browser?
• Where to get Information?

3
Agenda

• A Closer Look at Browsers
• Published vs. Local Browser
• Customer Examples
• How to Publish a Secure Browser on Citrix
  Presentation Server

4
A Closer Look at Browsers
5
Enterprise Uses for Browsers

• Access Enterprise Resources
• Intranets, Portals, Partner Sites, etc
• Deliver simple browser based application access
• Research Education
• B2 Activities

6
Challenges of Local Browsers

• Data Security
• Difficult to manage and maintain
• Version control, patch management
• AntiVirus, Security, Spyware, Cookies
• Different client Operating Systems and browsers

7
Understanding the Benefits of a Published Browser
8
Advantages of Citrix Presentation Server

• Management
• Performance
• Security

9
Management

• Single consistent service model for all
  applications
• Central management of browser and components
• ActiveX, plug-ins, JVMs, cookies, patches
• Provide access to all clients and platforms
• Linux, Macs, Clients w/ different browsers
• Leverage shadowing helpdesk and training

10
Performance

• Predictable performance on low bandwidth
  connections
• ICA, Mobile workers and remote offices
• Improved performance of applications
• SpeedScreen acceleration
• No client upgrades required
• Thin client support

11
Doculabs Validation Study
Evaluation Goals

• Determine performance implications of deploying a
  web browser through Citrix Presentation Server
  rather than locally
• Uncover the benefits of deploying a browser in
  low-bandwidth situations
• Evaluate the benefits of Citrix Presentation
  Server

12
Study Methodology

• Test platform contained 99 websites retrieved
  from the Internet
• Mercury Interactive LoadRunner
• Pages ranged form simple HTML content to complex
  information portals
• The average page size, including graphics, was
  225 kilobytes
• All tests were executed with 5 concurrent users
  with 5 iterations of the tests each

13
Effects of Limited Bandwidth on User Experience
Page Download Performance
Browser Deployed on Citrix Presentation Server
14
Local vs. Citrix Deployed Browsers

• Citrix Presentation Server is 200 to 250 more
  efficient with network bandwidth than locally
  installed browsers

Total Data Transferred
Local Browser
Citrix
15
Other Statistical Comparisons
16
Security

• Centralize security configuration and updates
• Increase security of information assets
• No data on client
• Provide secure application access
• Over the LAN, WAN or Internet
• HIPAA, S-OX

17
Centralized vs. Local Browsers
Comparison Points

• Bandwidth
• bursty vs. streaming data
• Response
• data refresh
• Security
• local browser cache

• Expense
• client development upgrades
• Productivity
• simplistic vs. robust UI
• Platform Choice
• varied browsers
• hardware requirements

18
Customer Examples
19
Co-Speaker Slides

• Note Co-Speaker Slides Follow

20
Who is Meijer?

• Family-owned chain of supercenter stores
• 171 stores in 5 states, and 4 data centers
• 5 Citrix Presentation Server sites, currently
  using application silos at remote sites
• Headquarters located in Grand Rapids, MI
• Open 7x24
• Invented the "supercenter" format in 1962

21
How Meijer Uses Citrix

• Presentation Server
• Single farm with 80 servers
• Silos
• Corporate
• Remote access (using web access)
• Merchandising systems (more to come)
• Stores
• Time/labor management
• Store office apps
• Warehouses
• WMS
• Warehouse office apps

22
Lessons from the past

• iForum 2002
• publishing a browser
• Considered for thin-clients running WinCE or
  Linux
• What are they thinking?
• Me
• Analysts

23
How Meijer Deploys Web Apps with Citrix

• (a.k.a. Rob Eats Crow)
• 2003
• 5 days notice
• ASP application going live
• Windows 95 desktops
• (No comments, please!)
• Completed testing and deployment in 3 days

24
Meijer Deploys More Web Apps with Citrix

• 2005 - Application Suite for Major Merchandising
  System Renovation
• Business requirements
• Uniform application access
• Rapid application updates (rich client)
• Quick response times
• Technical issues (web)
• Problems with bad campus wiring
• WAN access for web apps with large datasets
• Client performance in remote locations
• Not All Web Apps Are Web Apps

25
Benefits Realized

• With web applications on Citrix, Meijer realized
  the following benefits
• Better control over application version and
  access
• Access to internal resources from anywhere
• Better overall user experience
• Reduced network bandwidth
• Easier troubleshooting and administration

26
Co-Speaker Slides

• Note End of Co-Speaker Slides

27
How to Lock Down Optimize a Published Browser
28
Lockdown Techniques

• IEAK and Profile Manager
• Microsoft Group Policies
• Presentation Server 4.0s AIE
• Bogus Proxy Server entry
• Security Zones

29
IEAK and Profile Manager

• Internet Explorer Administration Kit (IEAK)
• Enables organization to create a custom browser
• Recommended for Solution Providers and
  Application Developers
• Group Policy recommended tool for managing IE on
  client computers in a corporate network.
• IEAK 6 SP1 latest version

30
Internet Explorer Administration Kit
31
IEAK and Profile Manager

• IEAK Profile Manager
• Used to change settings and restrictions after IE
  already installed
• Modifies INS file created with IEAK

32
Microsoft Group Policies

• New in Windows Server 2003
• Group Policy Management Console (GPMC) and the
  RSoP Planning mode
• Windows Server 2003 SP1 contains over 609 new
  Administrative Template (.adm) policy settings

33
Microsoft Group Policies
34
Microsoft Group Policies
35
Microsoft Group Policies
36
Microsoft Group Policies
37
Presentation Server 4.0s AIE

• Application Isolation Environment
• New feature in Presentation Server 4.0
• Usage Scenarios
• Security
• Isolating Internet Explorer plug-ins
• Isolating Service Packs
• Restricting access to network resources

38
Bogus Proxy Server Entry
39
Bogus Proxy Server Entry
40
Security Zones

• 4 Security Zones you can configure in IE
• Internet
• Local Intranet
• Trusted Sites
• Restricted Sites
• Used to control execution of Java and ActiveX
• IE Enhanced Security Configuration Component

41
Security Zones

• Local Machine Zone configurable via Registry or
  Group Policy (Computer and/or User Configuration)

42
Optimization with SpeedScreen Acceleration

• Four Types of SpeedScreen Acceleration
• Browser Acceleration
• Image Acceleration
• Flash Acceleration
• Multimedia Acceleration

43
SpeedScreen Acceleration

• Benefits and Characteristics
• Drastic reduction in server CPU andbandwidth
  utilization
• Server scalability similar to MS Office
  applications
• Quality of video and audio in ICA same as local
  console playback
• Improved ICA session interactivity

44
SpeedScreen Browser Acceleration

• Requirements
• FR3 Server and 7.0 Client or Higher
• Publish with at least 16-bit High Color
• IE 5.5, Outlook 2000 or Higher, or Outlook
  Express 6
• Disable Auto Image Resizing and Animations in IE
  (Automatic)
• Implementation
• Enabled by default
• Speedbrowse On
• Enable at Farm level or by individual server

45
SpeedScreen Browser Acceleration

• Hooks in IE browser
• Images moved via separate virtual channel
• Images delivered using native image compression
• Virtual Channel is Low Priority
• Responsive Scrolling

46
SpeedScreen Image Acceleration

• Lossy Image Compression
• Lossy settings impact image file size and quality
• None - 100 image quality and highest bandwidth
• Low - 95 image quality and 50 bandwidth
• Medium - 90 image quality and 30 bandwidth
• High - 80 image quality and 10 bandwidth

47
SpeedScreen Flash Acceleration

• Characteristics without Flash Acceleration
• High server CPU and bandwidth utilization
• Degraded video quality and reduced ICA session
  interactivity
• With Flash Acceleration Enabled
• Forces Flash Player to start up in low quality
  mode
• Reduces amount of data sent down the wire
• Improves users session responsiveness

48
SpeedScreen Flash Acceleration
49
SpeedScreen Multimedia Acceleration
50
SpeedScreen Acceleration Details

• Microsoft DirectShow
• The client processes media samples
• Supports Windows Media Player, and RealOne
  applications
• Supports MPEG1, MPEG2, WMA, MP3, and DIVX media
  types
• Requires MPS 3.0 or higher Advance or Enterprise
  Editions
• Consider dropping this slide

51
Internet Explorer

• Publish Specific URL
• iexplore.exe http//www.citrix.com
• Internet Explorer in Kiosk Mode
• Use iexplore.exe -k as Shell replacement
• Alt-F4 will close the shell AND browser

52
Resources

• Internet Explorer 6 Administration Kit Service
  Pack 1 Deployment Guide
• http//www.microsoft.com/technet/prodtechnol/ie/ie
  ak/techinfo/deploy/60/en/seccont.mspx
• Group Policy Settings Reference for Windows
  Server 2003 with Service Pack 1
• http//www.microsoft.com/downloads/details.aspx?fa
  milyid7821C32F-DA15-438D-8E48-45915CD2BC14displa
  ylangen
• Group Policy Management Console
• http//www.microsoft.com/windowsserver2003/gpmc/de
  fault.mspx
• Writing Custom ADM Files for System Policy Editor
• http//support.microsoft.com/default.aspx?kbid225
  087

53
Resources

• How to use Security Zones in Internet Explorer
• http//support.microsoft.com/?kbid174360
• http//www.microsoft.com/windows/ie/using/howto/se
  curity/setup.mspxEKAA
• How to strengthen the security settings for the
  Local Machine zone in Internet Explorer
• http//support.microsoft.com/default.aspx?scid833
  633
• How to install Internet Explorer (IE) 6 into an
  Isolation Environment
• http//support.citrix.com/kb/entry!default.jspa?ca
  tegoryID618externalIDCTX106085fromSearchPaget
  rue

54
Final Thoughts

• Comparison of Published vs. Local Browser
• Benefits of deploying a Browser on Citrix
• Meijer Stores and Real World Challenges
• Tools and Resources for Published Browser
• Use the tools to build yours now!!!

55
Before you leave

• Recommended related breakout sessions
• Session surveys are available online at
  www.citrixiforum.com Tuesday, October 11 (please
  provide feedback)
• Breakout session handouts are located at the
  Breakers Registration Desk South

56
(No Transcript)