Duration 43:38
16+
Play
Video

Citrix Synergy TV - SYN132 - Geek's guide to the workspace (part 3): protecting your SaaS

Matt Brooks
Senior Technical Product Marketing Manager at Citrix
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 22 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN132 - Geek's guide to the workspace (part 3): protecting your SaaS
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
272
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

  • Matt Brooks
    Senior Technical Product Marketing Manager at Citrix
  • Scott Fanning
    Senior Director of Product Management - Security / SD-WAN at Citrix

About the talk

Topic: IT

SaaS apps are great. They are extremely easy to buy, easy to deploy and easy to access. Regardless of the user's endpoint and location, they can access the app without relying on IT to deploy complex VPNs. Unfortunately, each SaaS app introduces a new identity for the user to remember. User accounts can be easily compromised with a weak password, resulting in stolen data. We have no easy way to disable access to SaaS apps when users leave the company. This session will demonstrate how to incorporate single sign-on, enhanced security, and website filtering for SaaS and web apps into the Citrix Workspace experience.Note: This session will be live-streamed during the event and available for on-demand viewing post-event on Citrix Synergy TV.

Share

Okay, let's get started. Welcome to protecting your sass. I'm at Brooks. I'm a text with Civics technical marketing. 00:03 I've been with lyrics about eight years and I've been in a lot of different roles for his work in the customer side and the product side and has some 00:12 good exposure to work networking technology, which we going to talk a lot about today and I'm honored to be doing my makeup my calling Scott Heim. 00:20 Stop adding. I've been running product management for security at Citrix specifics for a whopping 14 months. I think at this point and I'm really 00:27

excited to work with him. And I think it's going to be great. So previously in the geek's guide to the workspace and I should recap if you're not 00:37 familiar with this week. We're doing a 10-part session Series. So this is the third of 10 we talked about identity and I'm basically the 00:44 importance of its significance of it and lot of complexities and challenges with maintaining password making them komplex having multiple passwords 00:54 for different. And so that's really the first thing we talked about writing but it's probably one of the most important to your key to open the door, 01:02

if the if the Bad actors get in your house through the front door, those other protections aren't really going to help you but I'm working at to take 01:09 the identity and build on that. I'm going to talk about single sign-on the lot. So we're going to talk about single sign-on for SAS apps web apps and 01:16 mobile apps and we really need the importance in Need for using those passwords that users forget her. You know, what are always have trouble making 01:24 complex? For we get into those we're going to talk a bit about Citrix access control and Gateway service. These are really foundational Technologies 01:32

to enable and I'm providing single sign-on as well as additional protections for one mobile app store keep cats off after quick NDA 01:41 delivered product manager. I'm always be 01:50 predisposed to disappointment on delivery date, so don't want to attend 02:00 because today right? So good luck here. You have your Enterprise 02:03 apps on your data center and usually have a proxy a DMZ the kind of pill office Kate your access to your sass aplicare your web applications all your 02:13

on-prem data center and remote access to your typical VPN kind of explains what applications and actually in some cases more complex. 02:21 You have a nice ass in public cloud. Different kind of Hosting opportunities different kind of cost structure is different kind of geography footprint 02:30 different type of regulatory environment or regular regulated in the healthcare industry and what they do to try to consolidate that make it easier to 02:39 do single sign-on. So 1password get taxes all these apps because obviously if you had to sign into every one of them the user experience it for your 02:49

password to get weaker because you're probably going to replicating these passwords against multiple properties. And then if you look at unsanctioned 02:57 fast and internet apps typically, you know, they'll put a all web filter in place and say hey this is applications that you can go to these 03:04 applications. You can't go to be a fairly binary decision about what to do and also give some insight to you're that kind of Shadow it know 03:12 where the apps are how you tried to access these things. What we are trying to offer here is a consolidation of all three of those things when 03:21

filtering a proxy single sign-on and Call app control through the difference in architecture. What were the benefits and all the different 03:31 capabilities around this and that will also have some video demos as well. Not so it's going to be pretty good getting past the point Solutions got it 03:40 all so I don't not only improves user experience. It improves your security Foster. I think right there. So there's less chance for admit mistakes and 03:47 what by consolidating all that technology in ones by absolutely you typically if you allow the Enterprise themselves to do that kind of consolidation 03:54

on their own, you know, you're burdened with Ashley doing all that infrastructure hooking all these different parts together and some of these parts 04:02 have some overlap so I can start to question, you know, which has the priority events versus the other capability known average Enterprise has 04:09 anywhere from Yale 6290 security controls in it, and the outcome is about protection and that's what we're trying to deliver here. So if the 04:16 complexity definition the front of security in terms of administering an absolute like then So if you look at the end user experience with the 04:25

workspace app, so you saw what happened with the intelligent workspace in the work space. This is this is kind of talking that what current present 04:34 state. So, you know, if you want to go on to a science application you open up with enhanced security off and you opened up your browser you go right 04:40 to the internet. Okay. Now if you happen to have enhanced security on this allows us to leverage the control point that is the workspace app to afford 04:49 controls on top of the SAS application. And what's really interesting about. This is that this is not like a deep integration type SAS security. It's 04:59

an overlay on any of the staff applications you happen to have because we're doing it through a browser environment that we control and so we can do 05:09 things in this example. We're running a watermark and this Watermark, it would have to be done and rendered to our browser environment. And 05:16 then are based upon those policies. We say, you know what we put enough conditions around for the end user to be able to access ask property. And now 05:26 we will allow you to go to the internet and click on those things and those controls are done in line and continuously monitored during the session in 05:34

which to the SAS application. The web filter is pretty important for regulatory reasons and avoid those those Bad actors that does know that's why she 05:41 wanted to avoid having to use as go there and they're explicitly right there by accident, you know, maybe there's some kind of phishing attempt where 05:50 there's a link in there trying to do it and also, you know, it's about you know, your own policies and Regulatory environment. You're the primary 05:58 reason people put security controls in this because the regulations tell you that have to do it and you know, if it's important to that this is fed 06:05

with real-time threat intelligence to make sure that is timely because he cites come up and down various URL. Look at me a munge different ways. So 06:13 the ability to be able to retail have an active threat intelligence feed into this is also important to 06:21 allow something or do I block something but sometimes you want to allow shade of bread. So this is a case where maybe you want to go on Facebook and 06:31 you're saying look, you know by users want to go on Facebook by Sia. I want to retain control and still want to make sure that there's any threats 06:40

that happened to materialize during that session that they're contained in real time. And so this is going to redirect to secure browser service is 06:47 kind of giving you that ability to manage the shade of gray. I mean, if you look at it from employee experience perspective, you know, one of the 06:54 things bad is that you know, when people go to work they want to use the tools are used to doing and sometimes you as as the IT department and put all 07:01 the policies in place to get the finer granularity of control. So this is great in terms step as well as while you're trying to understand you laugh 07:09

easily station to really take advantage of students virtualization technology. And if they do get kind of a phishing email get past when I was with 07:16 filters any threat to the endpoint is mitigated, right? We're going to leave that out in the cloud to someone send session goes away 07:23 all traces of it goes way as well. So it's it's a it's a great way. 07:33 So that way service by so we have a Gateway service in the cloud is a 10 m solution users get into it. 07:44 We access it. We interrogated. It's elastic and Ice consumption pricing and you don't have to worry about managing it. So if you're looking for a 07:54

solution that you'll for single sign-on and you want to go to the Gateway services at Fantastic answer for that. We do all the upgrades. It's just a 08:04 low-cost way of doing it and you know what it has all the cloud service benefits, you know during the Black Friday if your retailer got that a person 08:14 consumption model, so you have to first out you can still he'll be able to do that kind of in a massive deal with scheduling and you 08:22 know what you don't have to worry about all the training of somebody that have to manage one of these devices. So from employee recruitment retention, 08:32

this is a much simpler consumption model. Workhorse for years, but I'll be said that that's more complexity for the administrators right now. 08:39 Yeah, absolutely. If I can just added two 08:49 more Pops. I want an Indian one in South Africa as well and we're constantly re-evaluating your where we have to put these Paws because the user 08:59 experience matter so you won't be close to where your applications are what they say is not though is a managed netscaler. That's not the goal of this 09:06

product. The goal is to provide services to our customers. We take care of this the patches in the exact exact 09:15 as kind of the Swiss army knife in the creativity that are some things that we think about 09:24 so they have at the clouds or prescriptive. So it's a really experienced. 09:34 Yeah, so, you know, I don't know what we are Intelligent Traffic manager. The right here is doing this for us so we can take advantage of all these 09:44 millions of Thieves that we have to be able to orchestrate the user experience and we will redirect IL Duomo balancing based upon the itm sensors. And 09:52

so this gives us this is kind of representation of times the user experience in Lane C from different parts of Geo and you'll just like I can do this 10:01 for Global server load balancing. We actually take advantage of it for ourselves in our own service to make sure we get the best user experience. I 10:09 think we have maybe a hundred of predictive going to get a quick response and then didn't respond with the pop is closest to users going to figure it 10:16 out based on kind of the complex algorithms that i t m 18 is another position we can dynamically obscure that traffic to 10:25

make sure that we still maintain a great user experience. Lyrics. That's 10:35 right. If you look at things like Office 365 and other kind of applications, you know, the user experience is really important meal. You look in your 10:45 own day-to-day you're using the web. You know, if every time you hit the refill to retry button all the time cuz you're trying to get hurry up. Hurry 10:53 up. Hurry up. You don't want to be in the middle of that user experience. You want to make sure the optimal makes sense. I just love saying that 11:00

so there's a lot of sass out there. And in fact, you know, if you look at the workforce that's her coming into the workforce, you know, they're 11:10 very used to say applications. And so when the employees come to your Enterprises and your company's they're going to expect to speak with a bunch of 11:19 tools that they're kind of used to as they come in and part of job satisfaction is being able to do that. So this is a charge of showing that hate is 11:28 70% of our organization. They nearly all the wraps will be sassy by 2020 and you know, I think the rate in case of this depends on the industry of 11:35

depends on the We have a large medical customers that have a much slower Pace to doing this the other night pick certain apps that are facing apps 11:44 highly regulated environment might be slower. But you know to look at retail SMB different type of Articles elsass applications. Take a credit card. 11:53 You wipe it off Hugo doesn't need to be involved 12:01 that were the case, but that's not the case because you're still ultimately responsible for the perimeter. So how do you enforce the perimeter when 12:10

there isn't any right because he got all these different properties regulatory environment gdpr y'all bunch of different things happening and you know 12:17 a performance at least getting to the app, you know, you still have the only thing getting to those app data governance. You can look at the 12:27 shared-responsibility model that most Cloud providers provide data responsible East arrest with you on the Enterprise single sign-on to Prudential 12:35 management for the eye can see Your responsibilities as well. And then you need you need some help to be able to kind of stole those things together. 12:43

And so that's why they analytics and visibility tools are important because if you can't see it, you can't protect it and use those apps that need to 12:50 make sure they maintain their intellectual property and keep track of who's using what absolutely so take a look at the user experience with this s 12:58 sure so you know what the first thing you have to do is sign on right? So here's a case where were chicken and Humanity app to the work space and it's 13:07 booting up. And then you're on the app it all look. It's a watermark in the middle of my app. And the reasons do NASA policies tell you to do that. 13:15

One of the reasons we have that is photography is actually a Threat Vector. I just came from a legal team. Actually. This is on the request that they 13:23 had for us and he tried to click on the link in the ice is restricted because it wasn't inappropriate like but we're going to the internal site we 13:30 clicked on that. And look, you know what there is no watermark. It was okay cuz internal site pause. He said it was fine. If you can do that or 13:38 perhaps faces, does it have to be a global policy cuz you got too much friction and everything is bad and there was a case where I went through 13:47

Facebook and I was done to secure browser the session so it's safe. It's contained and you still didn't use are still get to participate music 13:54 portal. You're in an e-mail right? Very very seamless. 14:01 I'll take a look at the architecture and bear with me on this if it's not, you know, watch Groundhog Day. 14:13 OK Google have a workspace app. It's going to connect to the workspace service. What's the afternoon rated in the primary? If medications done to the 14:23 contact the Gateway service it's going to get and it's going to get a preferred browser in a euro. This point this browser is going to use ATM to 14:32

figure out which is the closest Gateway going to talk to the Gateway and Gateway is going to communicate with a single sign-on service is going to get 14:41 it and assertion for the browser to be sent to the service provider Silverspot is going to validate with that with the Gateway service and then they 14:47 single sign-on is complete and likewise with enhanced security office for defusing a browser. Right? We don't have work space app 14:55 similar process within a log into the workspace. It communicates with Gateway service. And it's going to reach Gateway Services going to talk to 15:05

single sign-on service return the assertion that spell audited by the service provider and we have single sign-on all driven by policy very granular. 15:13 So that's all going to happen to know a split-second weekend and walk through it slowly there. Now, it's let's change it up and we'll notice to the 15:21 devil is in the details. So we're doing with doing enhance security on so now with with a workspace app going to talk to the workspace service. It's 15:28 going to talk back to the Gateway service. And in this case, it's going to recommend using the the browser integrated in workspace at right we're 15:37

using an enhanced security. So he gave me Services can both talk to single sign-on service and access control and figure out which of those additional 15:44 policy if you want to fly to the browser. It's going to be presented still with the assertion to work later browsers going to talk to the service 15:51 provider and validates that this is a saml 2.0 Dance and they have a session and likewise if it's going to be a bit different with the native browser 15:59 here. We logged into work space for the browser. It's talking to Gateway service. This case is going to recommend to use the secure browser service 16:07

and secure browser service steps and it's going to proxy taking that assertion contact the service provider and validating that validate and then 16:14 he'll completing the single sign-on. I'll take a look at the admin experience. 16:23 So we're going to start with the Tempest cloud in a Gateway single sign-on will see this polite. Here's our list of templates. I'm not sure how many 16:35 we have this all the time. So I'm going to drop down into the humanity of the first thing we'll find if you need to get us some information about the 16:44

app itself in the Euro with an actual enter the actual Domaine that we created on that site. Once we have that we can move on here so we 16:54 can select or deselect enhanced security settings. Move on their last step. Set up for single sign-on settings 17:04 for the searching. You're all going to enter a specific domain for the site. And I were going to open 17:13 this XML file which has R Us a more specific information that right that we need to share with this site. It's just got when we go to the humanity. 17:23

We're going to go to a single sign-on section. This is going to vary a bit by service provider, right? It's it's not all the same as soon as we don't 17:32 have microwaves for this day. All the fine is easy. So we'll never get to the admin section in here. We'll find details that we're going to pull out 17:40 of that. We have a entity ID. We're going to copy and paste into the site. And also the law got gyro. 17:49 Then we'll take the Dostoevsky the exiled 509 stiff and face Thailand. I want those are base64 encoding they can read that right that's good for 17:59

user-friendly the browser the wizard to it. So now we can go ahead and provisioners 18:09 subscribers and the same manner we do all of our other apps will drop into the into the app many subscribers and select a Active Directory Group or 18:19 individual user. And there we've provisioner single sign-on up it'll be available in their work space after this point. 18:28 I wouldn't go ahead and take a look back into Access Control we can do some customization. So here we can we can go in and we can either select a 18:38

specific categories that we wanted Blacklist write. These are these are list of lots of known sites that are may have been maintained by back there. 18:48 That's correct. You can go ahead and add those. And then likewise weekend we can select 18:56 strip bars categories are once we wanted there in that gray or a want to be hosted in the club. Then we can also add specific websites that we want to 19:05 wait list, for example, or what have you totally internal websites that you're like, you know what we're trusting that for now. 19:13

And here's a quick look at doing this with D3. So we'll split skip ahead hair back the same way 19:25 and see if we can do a search for G. Suite will select it. 19:35 And will again with the same passholder center with the Beatles. You can do to use to do on his security. 19:46 It's a woman notice in this case is going to be able to look at it. Again our domain specific information in the Euro Fields will let us in this case. 20:00 We can actually download an important to the site. So just another look at a different type of SAS Administration if you will will 20:09

see where in that we're here in the same page and we will go ahead and just don't know copy and paste a little bit cleaner set up there. Personology 20:19 shifters book about webs got weed that we we saw in the SAS 4 after that a lot of companies moving to SAS, but they still need to maintain some of 20:29 those apps that they have in their internet, right? I think that. Cloud Journeys I'm going to be a little bit exaggerated because you'd hear about 20:37 Cloud all the time. But a lot of our customers have any all large on Prime premise particularly more regulated Industries and but they still want the 20:44

same contextual access controls and flexibility and consistency of policy between staff and he's apps so absolutely 20:51 so it when we use apps on a Land Rover kind of spoiled their security taking place, but it's just kind of works for us. Right if you're not machine, 21:05 that's the main Joe and you might have Kerberos enabled and you don't know it right you're getting to your services without having to enter into 21:13 details and eyesight. If we didn't Queen able to until M user connect to it. He's not in the demesne. He's going to be presented with a need for 21:20

credentials and this gets back to what we kicked it off with. No not nice when you need to get to enter enter password Ray Wright. And then what to do 21:28 after the Rayville to get to that site? What's take a look at the web SSO architecture went to see a similar diagram here similar 21:35 beginning as to Woodside stops going to start with a workspace app. We connect to our work space is going to communicate with the Gateway service. 21:45 And it's also also includes app control, right so we can access control who can apply those same kind of controls to the web app in this case a 21:55

different series sample to a service provider reach out to Gateway connector. What is happens is when the workspace app 22:03 browser browser receives the Seas a token from is it has a resource location identifier that allows the Gateway service to 22:13 communicate with that research location and tell and tell a Gateway connector to communicate back with us to give me connector right? It's a new 22:23 printing machine DC code or in gate code 22:30 for a Jones for the future development. 22:35

It's all then we have our complete the connection after that that connection to set up from the Gateway service to the Gateway connector. And then at 22:46 Gateway connector is going to negotiate the authentication for us. It knows until Kerberos for or forms if you will. I was on service prior. 22:53 I must think the same role as the as he has to be part of it up the whole SSO process right 23:03 across a log into a workspace in this case would be asked to 23:08 use the secure browser service and it will communicate with Gateway service which will check with access control and still set up that proxy to the 23:18

premises and the Gateway connector will negotiate the Authentication. So that's a real true Hybrid used case. Right? I mean we have no known prime 23:27 asset like the other interests ATC acting as a Gateway get the Gateway service than the cloud and they're both working together provide you that kind 23:37 of native web app experience and Sasha Paul Simon taneously. So, you know your digital transformation on your Enterprises doesn't cooperate. This 23:44 isn't a choice between do I do a SAS or do do you unfriend someone consistent user experience across both those demands? So this this is a doctor do 23:52

for you to introduce ass properties and get more comfortable with those or at least he'll respond to what you were going to deliver. Users are 24:00 selecting their app and they're working and being productive exactly. His let's take a look at the diamond experience now for web SSO. 24:09 I'm going to start again with the with Gateway hair will select single sign-on. It's so this this list of templates we have is it's really for 24:20 SATs, right? We're repopulating some links for you, but I was so we can we can shoot we can select one this case. I slept SharePoint we can just skip 24:30

at this point right? We're going to have to enter some information specific about our web app in our internet. Change the icon of 24:37 cashews. And also getting the same enhanced Securities, you know, the inconsistency in the admin experience same 24:47 access control settings. And then here's where we differ from the disaster. That's right. We're not going to answer it the same with 24:57 Mission here who's real going to configure Gateway connector. So again, this is a virtual machine. We're going to download you going to pick your 25:07

hypervisor. This case I'm using going to use Citrix hypervisor. 25:16 So will I will say that off. Skip ahead a bit here in the download. 25:29 Until we're going to import our experience. It's this simple and we won't go through all the configuration steps, but we'll see once once his lunches 25:41 will look at the council screen and you noticed it's very I almost identical it is identical to netscaler ATC VPX putting up right 25:49 address. I'm going to connect on 48443 minor difference. They're going to drop into a browser 25:58

will connect to that. So pretty appreciate forward to set up and then there's just a handful of things. We need to enter 26:08 once we connect to the to the gooey. We're going to have a default administrator username and password for single gas tank change that change that 26:18 password place. That would be very good 26:26 news 26:28 Kerberos. We need to enter some credentials right to Manor service account. Can you use reuse ENT lamps with skip that last step is to get activation 26:38

code back in the cloud will resetting this awful going to get kind of a long long string here that we just get a copy and paste long the alphanumeric 26:47 string there. And once once you paste this in and save it off a little bit of consult or we can monitor some 26:55 details of the the virtual machine will see that it turns green. Then we go back to the cloud. We we detected in a movie or anyone else. Where can I 27:05 get some kind of a reverse connection from the Gateway connector back to the Gateway Service setup. No, we can complete in a week. We're going to set 27:13

up basica SSO here. This is the end till I'm now we complete our Wizard and then we're back to her standard in a process for revision new subscribers. 27:22 So in a pretty straightforward setting up access to your internet site seamlessly from your your web at your workplace out 27:30 if you're familiar with this is not much here. Listen. News. I don't think it'll take another look at doing this with 27:40 with forms authentication. What will get some steps are going to go through in the beginning of the route of the setup will skip will make sure he 27:49

slick inside my corporate Network. This is what we do for for web apps. Going to give name Euro to get to the site change the icon. 27:58 backdoor enhanced security settings and her words were selecting are a Gateway connector. So once we have one or place for every time we watch them 28:11 should be at other webapps reason we can use that same Gateway connector rub portion to recommend two or more right for for backup purposes are going 28:19 to enter specific Euro information about logging into the URI portion to login into that web app. And once that saves off from the know that was for 28:27

reforms right there a little bit different. So go ahead and provision our 28:36 users same same process. I'm going to tell what wash rinse repeat, you know, it's easy 28:46 to avoid mistakes from the administration and prospective similar economic. You look at the a user experience. We're back in at work. We see video 28:55 after you go ahead and watch it. We still receive the watermark show up. So we're still using those access controls of the web app. And then we 29:04 see for example here. We have an email if we get to know those fishing links we can go ahead and block it. If it's in the access control your the case 29:14

where we have it on Prime application being protected the same way of classification is with all the same threat intelligence backing it up and the 29:21 same consistency of policies and you don't have to set these policies the same across every every app. You can have a different policy selection to be 29:28 able to do it and it also feeds into our analytics service. So you get a lot of Rich Telemetry out of that as well. So yeah, it's a it's a great true 29:36 hybrid Cloud story, except. Yeah, this is really what the work spaces is about Ray bringing together all of our technology and capabilities. Throws 29:43

cat with shift gears and talk about our last of the three areas were focused and we talked about sass apps web apps not working 29:53 anymore, I forgot a millennial. I guess. I don't know. How can 30:01 we can 30:07 passwords because no one wants to spend the time and energy button complex password that tiny little keyboard 30:17 session is actually the mobile device. 30:21 So we talked about with you again, we get to we can get us a table so we can talk about it. After that. We talked about SSO using the workplace app. 30:33

So we're doing this with Mater mobile apps free apps that sitters doesn't own but we're going to install it from public at stores and went to provide 30:43 the ability to do single sign-on through the workspace service. It's all we're not seeing this week Tech preview for mobile SSO. 30:52 It's going to take a look at the user experience. I'm still here. We're on our 31:05 mobile device with launch the workspace app and we're connecting to our site and during our credentials. 31:14

Here we see we have we have the slack XO so the slack app if if we don't have any other mobile apps installed first thing we'll have to do is install 31:27 secure Hub. Right then we have to get that device enrolled. Who was we skip ahead kind of threw the enrollment process but once the app is installed 31:34 will see that here. We have a VPN connection. And so any mobile as the snow is going to utilize Citrix SSO technology will see you once a 31:43 VPN at set up. The user is able to log into slack and no need to enter their credentials. In fact, when we entered entered the demesne there. We're 31:53

just kind of dumb Wayne mobile SSL, but we can we can alleviate that with another endpoint management policy. New York uses Flack 32:03 Okay. So let's take a look at the architecture behind that again similar kind of diagram and that you're going to be similar steps. Are we going to 32:17 start with the workspace App log into the workplace diversity that initial active directory. Is there active directory Authentication? Never going to 32:25 get them the mobile app push down. This is something in point management can do. I'm in here somewhere secure help comes into play roster need secure 32:35

Hub on that device is going to roll with your role in the endpoint management instance. And then at this point what will get into the admin details in 32:43 a bit? We're going to push down a policy and if it's not already on there going to push down the Civics ssof and so what we're going to do is it when 32:51 when the slack at starts when I intercept that call and we're going to setup a VPN to the Gateway service using the Citrix SSO app 32:59 and at this point we're back. This is similar steps with the disaster. So Gateway Services going to get it in a prescription and it's texting a 33:08

proxy and and communicate with the service provider on behalf of that app return the assertion to the the slack app for the any of the 33:18 Republic app for providing answer. So for you to communicate with a service provider validate that and then at this point, we have two options one is 33:28 that the traffic continues to flow through Gateway service, we can proxy that connection through the service provider other option is a we can do a 33:36 split Gateway, right so we can we can avoid that and have the app go directly to the service provider. If you choose to take that route to Sky you'd 33:44

mentioned using a lot of different elements of Technology. This is River a great example that I were talking in point management Gateway work space by 33:53 the technology orchestrating working together here. Yeah, you know, what's really interesting is he gone to all these different use cases? Diagrams 34:03 are all relatively simple. You're probably already bored seeing the same lines have been drawn and advantages of having that is that that's a 34:09 well-tested well architected infrastructure and that consistency also translates to like it kind of a concealed consistent user experience as well. So 34:16

until we actually works to make sure that it was actually the same as we can make it and the exceptions like the endpoint enrollment and things like 34:25 that was our device specific needs for the actual authentication portion of it the inline control portions of it. That's all similar which means we 34:33 can afford that, Talia policy make Ashley Neal the management of this a lot easier. Good deal. Okay until it's it's Rhonda South today. Let's talk 34:40 about the the admin experience for this. So we're going to start and sit 34:50

as cloud and first one is doing to our endpoint management and we have to do a few steps here. First thing we're going to do is add an entry for the 35:00 the public after we want to push to the Indian Point. Right? So in this case, it was slack will get in search of that for free iPhone. 35:10 Select that move to the wizard and then fly to the iPad as well was going to show the iOS or so beyond select other platforms we go to the flight at 2 35:20 delivery group. And I will go ahead and will credit app inventory policy. This is needed for the endpoint management to know what apps are on the 35:28

device. And which one is going to push the VPN policy to renew some instances. This is already created for you. Now we're going to go and create 35:38 a VPN policy in this is really one of the most important steps here. We're going to set it to Citrix SSO. I'm 35:48 going to give a f e d and are sold as of the tech preview. It's going to be VPN. Netscaler Gateway than that, but that that can be subject to change. 35:58 This is where you know if it's going to know which of those doesn't now 14 Pops to connect to a VPN. Right? We don't want this for the whole device. 36:08

It's going to be for this specific app were going to specify select on demand. We only wanted to get set up when the actors in use when we open the 36:16 app. I'm going to send it to pack a tunnel and then we're going to answer is fire demand. It could be the same after this is so that if the app 36:24 uses Safari Network capabilities in those to intercept it bad as well. We'll save it off when they're going to 36:34 do but that's proven in a flag if you wanted to split tunnel and avoid proxying that dated traffic through Go ahead and go to the Wizard and I can 36:44

apply this to the user group. And so this is going to be pushed to any users that are part part of that User Group. It's the last appearance. 36:52 We need to add a app after view policy. And this is just required to Miss Israel West right? We're going to map the 37:02 VPN policy back to that specific slack app on the on the endpoint. We select our VPN policy right there and that that's 37:12 it on the endpoint management side. It's an hour equal navigate back to Citrix cloud and we'll will drop into 37:21

Gateway and I will back to her single sign-on wizard right we're doing the same identical set up right now at that we did for SSO apps 37:31 in the app on the mobile device is going to be no use of VPN to get transported to the Gateway. And then it's going to utilize the settings 37:41 to do that. Say Melissa phone negotiation on behalf of the surrounding are specific to mean for slack right there. And these are steps. You would add 37:51 just for the SAS the slack app. Anyway, you're just doing it again the show yo got it to the mobile device. You're going to be 37:59

able to take So here we are in the black face or entering our 38:06 family Tales. This is the same old and help you search 38:15 neuro will putting in our specific slack the main. 38:25 And then here's our XML file again with family Tales. So I'm going to get 38:37 some similar similar stuff, you know, the devil's in the details a little bit slightly different steps are right for each one a little bit different. 38:47 We have to repay stick it in for a few when I can import that are going to put in the The Entity ID. That was a string of the very top of the XML 38:55

file. Here, we we put in the afternoon, right? This is this is for 39:03 our actual Gateway Mexican or gateway. Gateway. Pop star Steph Curry are user-friendly 39:13 certificate and round out the configuration on the service provider side. And yeah, I'm really 39:22 proud of the beginning and certificate because I was on Twitter and sell it to someone who's complaining that that wasn't there and it's not working. 39:32 So I actually took that feedback and make sure to put it is okay. If you can thank you for the provision that way and then finally to see we're 39:40

back in the library easy peasy. We're going to subscribe to select auto group in out for the users on the influence that are going to have this lack a 39:50 provision. Then they're ready to open the app and have single sign-on. So is that that does it for us now? We're going to go ahead and wrap 39:59 things up. We talked about, you know, SAS, it's really important keeps growing and Enterprises and we make it simple to configure an easy for the 40:09 end-users absolutely in becoming more popular in 40:17

every cloud digital transformation conversation. I had with customers or never in the same place. Every one of them is in a different 40:24 place. And so we're trying trying to be prescriptive out what the journey should be for sure why this is why this is so flexible. And then where it 40:33 worse at doesn't work if you still need those back and that's right. We make it easy to get to them using the Gateway connector based on, you know 40:39 years of civics ADC technology Access Control policies on top of it. So you're not losing any control rachio 40:46

adding more. I security controls on top of all your apps that way, you know using similar configuration process were bringing that singles. 40:55 Everybody's the mobile app so that consistency of configuration for those mobile app. Hopefully it's easier for your administrators. It kind of 41:03 quickly provision these thing it's another sessions check out text Zone. Said, it's not calm. There's a couple out there and access control 41:10 in the one on mobile SSO and they can get the sticker after another funny stickers to put on your back your 41:20

PC or mobile device pretty cool stuff 4th 41:30 episode. We're going to talk about content, right? So now we ever see you. Can you get your apps on your in points you need content to do stuff and 41:40 we're going to talk about how we can manage that story songs and over there connectors we can get access to that content wherever it's stored and 41:49 provided security and provide a great and user experience with the workplace service. Nice working with you. And then so before you leave, 41:57

please be sure to fill out those surveys in your your app and the sessions are actually I think Up On Demand on the subjects. Com website and by 42:07 June 3rd, you be able to download the presentations and please do rate this app and give us any feedback. You can for future sessions 42:17 look for session feedback in the mobile app and be sure to play a game on App and take advantage of the early other the field the trials as well. And 42:26 I know it's there there's a lot of stuff going on and stays here but Hands-On is definitely the best way to learn this stuff. So they'll be plenty of 42:35

opportunities hopefully for you to do that has a 42:41 sister. So it's also Sun itself face near The Learning Center in so you can go do a self play slap to get Hands-On to do this while you're here at 42:51 Cinergy. Obsession hashtag Citrix Synergy, or he's got to the workspace can give you some feedback quickly good feedback. And 43:00 that's a wrap. I think we have a minute or two for questions for anybody has any questions feel free to use the microphone to be up this being 43:10

recorded So I meant wants to dancing questions. Awesome, if you don't yes legis in the front hair after we're done. So thanks for 43:19 your time today. 43:29

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN132 - Geek's guide to the workspace (part 3): protecting your SaaS”
Available
In cart
Free
Free
Free
Free
Free
Free

Video

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “IT”?

You might be interested in videos from this event

September 28 2018
Moscow
16
122
app store, apps, development, google play, mobile, soft

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN132 - Geek's guide to the workspace (part 3): protecting your SaaS”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
505 conferences
19653 speakers
7164 hours of content