Even before the COVID-19 pandemic accelerated digital transformation plans, enterprises everywhere were working to change how they kept their employees and infrastructure secure. While employees expect the same user experience whether they’re in the office or working from home, a café, or on the road, enterprises need a consistent security posture that provides protection no matter where employees are, which device they’re using, or which app they’re accessing.

Traditional security models have their shortcomings when it comes to delivering on performance and security. Consider a hub-and-spoke model, where a security solution is deployed at the datacenter. It adds latency, and policies don’t follow users as they move from one location to another. The solution is complex to manage, too, and requires admins to keep software up to date.

Cloud-delivered security overcomes these challenges. Software agents installed on endpoint devices, direct traffic to the security service, ensuring that users remain protected, regardless of their physical location. A cloud-delivered security solution often has security points of presence (PoP) close to the user, ensuring that there is no need for backhaul of traffic, minimizing latency. There is no hardware to manage and updates — software and threat intelligence — are automated, which simplifies operations. While there are several more advantages to talk about, cloud-delivered security is one of the key changes enterprise networking and security teams need to make for a fast, consistent, and secure experience for end users.

Cloud-delivered security protects direct internet access — users are still dependent on the performance of commodity Internet for their application experience and productivity. This challenge can be overcome through a truly unified Secure Access Service Edge (SASE) approach.

A SASE approach, with consolidated SD-WAN and cloud security, enables IT to create consistent security policies across users while simplifying operations, all while ensuring resiliency and consistency in performance across the entire network. Citrix SASE solutions unify the digital workspace, providing fast, consistent, secure app delivery to all employees.

Get a primer on SASE, learn about Citrix’s fully unified, ready-to-deploy SASE solution, and check out the SASE capabilities available with Citrix solutions in the graphic below.

One solution that supports SASE is Citrix Secure Internet Access, a cloud-delivered service that provides secure access to web and SaaS apps around the world. Citrix Secure Internet Access is available via more than 100 PoPs globally and provides a complete stack of security capabilities such as:

  • Secure web gateway
  • Cloud access security broker
  • Malware protection with sandboxing
  • Firewall, Intrusion prevention and detection systems
  • Data loss prevention
  • Analytics

Citrix Secure Internet Access’ architecture provides a delivery mechanism for connections and can attach to other solutions to enhance performance and security. Admins can use several traffic redirection methods to secure users, no matter where they are as they access cloud and SaaS apps, redirecting their internet-bound traffic to Citrix Secure Internet Access.

In this blog post, I’ll look at the four redirection methods available for Citrix Secure Internet Access: PAC files; a Citrix Cloud Connector agent installed on corporate devices; DNS redirection; and GRE/IPSec tunnel redirection for offices.

Redirecting Traffic to Citrix Secure Internet Access Service

It’s helpful to start by looking at the types of users you’ll typically encounter when redirecting traffic to the Citrix Secure Internet Access service.

They are:

  • Users in a corporate office with an SD-WAN at the edge or users working from home where there’s a smaller SD-WAN appliance at the edge of the employee’s home network.
  • Remote users on personal computers or mobile devices who are connected directly to the internet or who are accessing virtual apps and desktops where the VDA is connected to internet resources and the device can be protected by Citrix Secure Internet Access security policies.

Let’s take a closer look at the four redirection methods and how they compare to each other.

PAC Files

The first method that can be used is the ability to protect networks by redirecting traffic using proxy. Users and/or devices will have an explicit proxy configuration or proxy settings configured in their browsers, and the web request will get redirected to the Citrix Secure Internet Access service. Proxying is the primary method of data redirection for Cloud Connector agents.

This method should be used when installation of Cloud Connector agent is not possible.

There is some configuration that needs be done, which can be streamlined with GPO and Proxy PAC files. Also, considerations need to be made for installing MITM certificates required for SSL decryption of encrypted web traffic.

Citrix Secure Internet Access Cloud Connector

Let’s start here by looking at some of the traditional approaches.

Traditional Model

The traditional approach is to secure internet connectivity by sending traffic through a secure web gateway (SWG) that is located within the corporate network.

Although this is a simple and easy deployment, it does not provide access to offsite users. Also, if multiple branch offices exist, separate secure web gateway appliances need to be installed at each branch office. This can be a significant investment for organizations with a large number of offices or branches.

Data Backhauling

A common method for accommodating remote users and branch offices is to route traffic through the primary datacenter before it is sent to the internet.

Once the data is within the datacenter, it must pass the same route as internal traffic, going through the core switch and then redirected through the secure web gateway. The data is then sent to the internet. This process is called “backhauling” and takes a large number of steps and additional overhead. Citrix Secure Internet Access Cloud Connector agents solve this problem.

Citrix Secure Internet Access Cloud Connector

Citrix Secure Internet Access Cloud Connectors solve the problems by connecting users directly to the Citrix Secure Internet Access service.

Directly connecting to the cloud minimizes latency for remote users and branch offices by eliminating the need to backhaul traffic through the organization’s datacenter before it is sent to the internet. Whether a device is onsite or at a remote location, Cloud Connectors enable you to maintain the same standard of security that is provided by an on-premises secure web gateway. It’s the simplest method to administer and the most popular method for managed devices. The Cloud Connector agent is supported on iOS, MacOS, Android, Windows, ChromeOS, and Linux devices.

When users sign in, the agent automatically authenticates them, sending the user name, security group association, and IP address to the Citrix Secure Internet Access service without requiring additional logins.

Through the Citrix SD-WAN Orchestrator portal, you can retrieve the Citrix Secure Internet Access Cloud Connector agent by downloading a binary file and installing it on a target machine manually. The portal uses admin configuration inputs to create a tailored configuration or installation file that you can deploy en masse via GPO, MDM or other deployment solutions. You can use the following deployment methods for the agents:

  • Active Directory GPO policy (Windows devices)
  • Mobile Device Management (Apple or iOS devices)
  • Google Admin console (Chromebooks)

There are several benefits to having the Citrix Secure Internet Access Cloud Connector agent installed on devices:

  • Cloud Connectors provide secure internet access to users from any location, whether they are “on-premises” or offsite.
  • They eliminate the need to have branch offices and remote users “backhaul” traffic to a datacenter before being sent to the internet.
  • They enable you to create security policies that “follow” users as they move to different locations or switch to different devices. This provides a consistent experience without needing to tailor policies to specific networks or locations

DNS Security (Redirection)

Another method of traffic redirection is DNS security, or DNS filtering. While a Cloud Connector agent is used mostly for managed devices, you can use DNS security for unmanaged devices.

DNS security enables network admins to force the user or devices to use of a specific DNS server.  After directing all DNS traffic to the desired DNS server, you can use DNS filtering to block access to a specific domain or specific categories. DNS doesn’t give you the payload inspection. It just protects against queries made by the device.

We typically see this redirection method on unmanaged devices (BYOD devices) or guest networks, where IT may not have the ability to change the settings on those personal devices the organization doesn’t own. Using the agent is the better approach for company-owned devices because it provides the ability to scrub the data, like when encountering zip files or PDFs. Security policies can be based on per-location basis, and analytics are made available by each location.

GRE/IPSec Tunnel Redirection for Offices

Finally, let’s look at using generic routing encapsulation (GRE) and IPsec to redirect traffic to the Citrix Secure Internet Access service. Though you can use routers and firewalls here, tunnels are used primarily when there are SD-WAN devices at the edge to automate the formation of these tunnels and is useful to implement when internet bound traffic is from guest, BYOD, or IoT-type devices that need security enforcement.

In this case, authentication happens through Cloud Connector agents, SAML, or NLTM/Kerberos. Generally, for this use case, the Cloud Connector agent is still primarily used on devices that are managed, and the remaining unmanaged devices fall back to the tunneling where the corporation still wants to maintain and filter. Citrix SD-WAN becomes useful here to not only handle the secure site-to-site communication, but also the secure handoff to Citrix Secure Internet Access for internet-bound traffic. This offloads internet communication from having to backhaul through the DMZ, and also improves user experience by providing a lower latency secure route directly to internet resources.  Standing up tunnels is automated through a unified portal and management can be addressed for large-scale deployments.

With these redirection methods in mind, the simplest way to achieve user identity would be when users are using corporate devices, where IT can make the Citrix Secure Internet Access Cloud Connector agent mandatory and ensure local user identity to enforce security policies. Ensuring the Citrix Secure Internet Access Cloud Connector agent is installed would be the most recommended approach. If you have users who are bringing their own devices (BYOD), it would be difficult to manage, either due to the user’s resistance or lack of models of tools to ensure that the Citrix Secure Internet Access Cloud Connector agent is always installed, which then would result in a unverified and unreliable user identity and policy enforcement. Keep in mind that there still are other methods of agent-less redirection that can be used.

What’s Next?

This is the first of two blog posts I’m doing on Citrix Secure Internet Access. In the second part of this series, I’ll discuss how to integrate Citrix Secure Internet Access with Citrix Virtual Apps and Desktops and Citrix Secure Workspace Access. I’ll also go into more detail about Citrix Secure Internet Access for branch users.

Learn more about Citrix Secure Internet Access today, and check out our product documentation.