Securing Network Access through Citrix VPN or other Alternatives

Citrix Gateway is a remote-access solution available as a hardware appliance and cloud service. It integrates with other Citrix applications, including Citrix Virtual Apps and Desktops. Citrix VPN is the add-on that provides full Secure Sockets Layer (SSL) virtual private network (VPN) capabilities to Citrix Gateway, allowing users to access remote applications on internal networks securely.

How Do You Connect Using Citrix VPN through the Citrix Gateway Plugin?

It is done through:

The most common deployment scenario involves putting the Citrix Gateway appliance in your organization’s perimeter network, adding more appliances to the network when required.
If you are subscribed to the Citrix Gateway service, Citrix takes care of everything for you.
Central to using Citrix VPN is deploying the Citrix Gateway plugin on PCs and devices allowed to access remote applications on the network.
With the Citrix Gateway plugin installed on those devices, a full VPN tunnel between the appliance and the connecting device is established whenever a user logs on to the network.
The Citrix Gateway plugin is available as a desktop application for Windows, macOS X, and Linux machines and as a mobile app for Android and iOS devices.
It also supports every major browser on all supported platforms. Users may also choose to log on to Citrix Gateway from web browsers installed with the Citrix Gateway plugin for Java.
When using Citrix VPN for the first time, users authenticate to the secure URL on the Citrix Gateway appliance using their browsers. Upon successful login, users are prompted to download and install the Citrix Gateway plugin.
Once users install the Citrix Gateway plugin successfully, the next time they need to access the network using Citrix VPN, all they have to do is click the icon to try and establish a connection.

Two-factor authentication (2FA) for Citrix VPN is available via third-party appliances.

What Is Citrix Always On VPN?

Always On VPN before Windows Logon is a feature in Citrix VPN that ensures Windows users have an always-on connection to the network. A VPN tunnel is established on a Windows device before user logon with Always On VPN.

Citrix Always On VPN works like this:

A machine-level tunnel is started as soon as a user turns on the device, with Citrix Gateway using the device certificate to establish the connection.
When the user logs on successfully to the device using their Active Directory credentials, the user-level tunnel takes over, allowing them to connect to the desired applications on the network.
When the user logs off the network, the user-level tunnel is turned off, and the machine-level tunnel turns on again.

Administrators must set an advanced policy for the Always On VPN feature before being used on the network. This policy entails creating an authentication profile, an authentication virtual server, and authentication policies that are bound to the authentication profile. Thus, its setup can be complicated.

What about Citrix Clientless VPN?

Citrix VPN also provides clientless VPN access to the network and web applications via web browsers. In this case, users are not required to install the Citrix Gateway plugin on their devices. This is crucial if users do not have access to their regular devices but need to connect to the network, albeit in a limited manner.

You can enable clientless access globally or use a session policy for a user, group, or virtual server. You can also encrypt the web address as an additional security measure. It is a good idea to turn this on, considering Citrix Gateway’s history of VPN server breaches.

Applications that can be set up for clientless access include Outlook Web Access, Outlook Web App, and SharePoint 2007. While Citrix VPN provides pre-configured policies for these applications, you might want to configure your own policy since you cannot customize those policies.

Parallels RAS: An Alternate Approach to Secure Your Environment

Parallels® Remote Application Server (RAS) offers a comprehensive solution for organizations looking for a secure remote-access solution for their applications and data.

Parallels RAS supports multi-factor authentication (MFA) using Azure MFA, Duo, FortiAuthenticator, RADIUS, and Google Authenticator, among other products. It enables the creation of unlimited independent sites inside the same farm, ensuring non-sharing of data, applications, and desktops across sites. Management of your multi-tenancy environment is also more streamlined and done from a single pane of glass with the Parallels RAS Console.

Other Parallels RAS features include:

Granular filtering rules to restrict user access.
Single sign-on (SSO) authentication using SAML.
Support for secure kiosk-like mode.
Client policies that enforce organizational protocol.
Smart-card authentication for published applications and desktops.

It also supports SSL or Federal Information Processing Standards (FIPS) 140-2 protocol encryption in compliance with:

The Payment Card Industry Data Security Standard (PCI DSS).
Health Insurance Portability and Accountability Act (HIPAA).
General Data Protection Regulation (GDPR).
Other standards and regulations.

Download the trial, and see for yourself how easy it is to use Parallels RAS for secure network access.

Download the Trial