I have had the pleasure of testing this new version and i must say that it is an incredible client. This Receiver really brings some much needed functionality to the mobile device platform. And though i am a big fan of the iPhone i really hope Citrix will manage to bring this level of functionality and features to the other emerging mobile device platforms like Android. Citrix has a tech preview out of their Android receiver it can be found here: http://community.citrix.com/display/xa/Citrix+Receiver+for+Android

Bringing it back on topic, the Receiver for iPhone has been out for quite some time now and have been downloaded more than 300.000 times. The receiver was a 1.0 up until now! With the release of version 2.0 i actually see a lot of cool features which will help make it a more usable platform for companies and organizations.

I have chosen to highlight a few of the new features:

Support for Multiple Accounts

This is a great feature and embraces the opportunity to also allow users access from more than organization or allow applications to be delivered from the Cloud.. or SaaS providers or what you will call it To support this there has also been implemented a search function to allow users to find the apps they need.

New interface

The new client has a completely different interface for applications, favorites, online help and much more. These are really great changes with an even more iPhonish look and feel, and more useful to users and better administrated by administrators.

Better Support for Citrix complementing technologies

With the new release and some from 1.0.3 there is now an integrated support for Access Gateway Standard, Advanced and Enterprise and of course Support for XenDesktop 4.

Usability improvements

There is a lot of improvements on the usability side of things, just to mention a few it is great to work with the options to Change the initial zoom value, hide status bar, change session resolution and one of the really cool features when working on the iPhone.. a “Caffeine option” a built in feature to help keep the screen active.

Another cool thing which i am a big fan as most who have read this blog will know.. SMS stuff.

2-factor support has been improved and revolutionized

Of course Citrix quickly added support for traditional tokens primarily the RSA tokens. But one of the cool new features, is support for SMS Based 2-factor solutions like SMS PASSCODE. I have written about SMS PASSCODE several times here, here, here and here. The integration allows for the users to log in securely into the company applications using 2-factors on their mobile devices without having to memorize the SMS based 2-factor code from an SMS and then type it into an application. It is based on a technology in which the SMS recieved on the mobile device contains a link which is allows sending the code into the Citrix Reciever application. I do not have a demo-site for this feature ready at the moment but i hope i will have one soon. Until then you can test the SMS PASSCODE solution here on their demo site.

More than i love the technology i love the convenient way in which users can access their applications.. POWER TO THE USERS! Power to convenience!

If you want more information have a look here at Chris Flecks blog post: http://community.citrix.com/display/ocb/2009/12/21/Feature+Rich+Citrix+Receiver+2.0+for+iPhone+is+in+the+App+Store

and on the matter of mobility Vinny Sosa did a blog post here: http://community.citrix.com/display/ocb/2009/12/11/Mobilizing+your+apps+-+Part+I+-+Session+Resolution

And of course keep up to date on the iphone receiver site here: http://community.citrix.com/display/xa/Citrix+Receiver+for+iPhone

Rene Vester

I was super happy to hear that SMS PASSCODE was nominated by the SC Magazine as a Security Innovator finalist and even more happy when i heard they had taken a fourth place in the Security Innovators Throwdown! Congratulations to SMSPASSCODE, it has been an incredible journey from when i first saw the product and to the mature state it has reached now. I still need to finish a review of their latest version 3.0, it will be here soon.

Some of the key features i want to point out to everyone even if you do not read the entire articles, why i like the SMS PASSCODE:

• Typically offers a higher level of security than traditional tokens
• A lot more convenient for the end-users
• Easier to administrate than the physical tokens
• No logistics, tokens back and forth
• Very low Total Cost of Ownership

Until i finish my review of version 3.0, if you guys want to learn more about SMS PASSCODE:

Website: www.smspasscode.com
Earlier review by me: Permanent Link to 2-factor authentication for Citrix, VPN and remote access in general using any 

And even better, if you want to try it out, have a look at this post: SMS PASSCODE launched a demo site

Or click here to go directly to their Demo-site: Demo site

Congratulations again to SMS PASSCODE for moving up in a really tough world

Rene Vester

Another major problem with this memory leak is that even when the service is no longer working as intended the service still listens on port 443, so a load balanced setup will not be able to detect the problem.

Read more on Shawn’s blog here: http://www.shawnbass.com/Blogs/tabid/58/EntryId/164/Beware-of-Secure-Gateway-v3-1-1-it-has-a-major-memory-leak-that-will-take-down-your-WI-SG-environment.aspx

Also if you need to downgrade be aware of the known security vulnerability in 3.1.

Rene Vester

Thanx for the guide Alexander..

You can read the entire article here: http://www.ervik.as/index.php/citrix/xenserver/1885-how-to-run-citrix-access-gateway-cag-on-citrix-xenserver

Rene Vester

The reasons for this trend is tightly connected with the fact that the solution is session-based so it eliminates both pharming and phishing attacks which are becoming more and more common. And maybe as the most important change it provides a lot of customers with a solutions which is way easier to administrate, both when it comes to internal users as there is no distributions of a physical device, but also in cases of external consultants where many have experienced that tokens disappear and if you look away from the security aspect it is usually quite a bit of money that goes into these tokens, which are often lost. With SMS PASSCODE, customers are able to just remove the external consultant from and AD-group and the “2-factor access” is revoked. In case of general consultant users changing personality it is just a case of changing the phone number in your active directory.

Anyway…. What i wanted to do with this post was to congratulate SMS PASSCODE on making it to the Red Herring list of “Top 100 most promising Tech Companies” in Europe. I think it is awesome that the guys have been able to spread the technology and that it is now being even more widely adopted. Way to go guys. You can check out the list here: http://www.herringevents.com/europe09/redherring100.html

If you want to try out SMS PASSCODE you can easily do it at their demo site here: https://demo.smspasscode.com/Public/Home.aspx

If you want to know more about SMS PASSCODE have a look here or here.

As i visited SMS PASSCODE yesterday i also had the chance to dig into the upcoming version, and trust me its going to be great, i will post a review when the material is released

Rene Vester

For the IT-Department, the cost savings and the easy implementation and almost no deployment needs, usually make them fixed on the solution. But how will the solution appear to the end-users? will they accept it?

Now you can test the solution here: https://demo.smspasscode.com/Public/Home.aspx

Rene Vester

SMS PASSCODE, next step in lowering administrative costs in relations to 2-factor authentication?

First of all, let me just point out that I don’t do ordered product reviews, what I choose to write about is what I think makes sense and what could make life easier for IT Departments and in this case actually easier for the users as well.

So, SMS PASSCODE released their version 2.5 and it is looking great. A while back I did a blog post on the first version I got my hands on titled: The ”new” 2-factor authentication product SMSPasscode

So what is new since then? Well let me start out with what the concept is, I am guessing there is still quite a few out there who haven’t had the chance to use the product so far.

I think everyone working in IT knows that remote access to our companies should be secured by 2-factor authentication. Typically this means something you know like username and password, and a token, a sheet of sequenced numbers to answer a challenge, biometric(anyone uses that?) or even something like BioPassword.

In all its simplicity, this means there are two factors:

1. Something you Know
   1. Typically Username/Password
2. Something you Have
   1. Mobile-, cell phone
   2. Token(RSA, Safeword)
   3. Paper Keycard(numbers on paper to answer challenges)
   4. Eye
   5. Finger
   6. Rythm of typing

This is what I think we can all agree on right?

So what have we done traditionally? We have used tokens for the most part. And why? Well the integration was good with products like Citrix Web Interface, there were agents for Radius so we could use it with VPN and most had a solution to also support things like Outlook Web Access etc…

So all in all we had one solution for the most part that could cover our remote access needs, great!

So, when we all set this up, managers were happy, users got used to carrying the token around and we went on to more interesting projects.

But what about these tokens? They were in fact the magic key which was making sure we would not allow someone to just steal username and password off a post-it.

Well I found that people had to make a lot of administrative tasks to make sure that tokens were managed securely whenever:

• A user left the company
• A token were lost or stolen
• A token ran out of power
• A token had to be distributed to external consultants before they could work remotely
• Tokens had to be called back when the work of external consultants was done

That’s just some of the pains that I have seen on the management side of the token solution. Don’t get me wrong tokens do the job great; they just require a lot of administrative effort.

So enough with the common knowledge stuff

A new way to do this hit me a couple of years back. A few Danish guys had worked with a customer who could not make his employees work from home. The tokens were always in the other pair of pants, left at work, forgotten in the car, or out of power because the kid used it for a chew toy…

So the customer asked why he couldn’t just get his token-code on his Cell phone… it was their most important tool to do their job, therefore they always had it on. And I could totally agree. I always check my pocket for my phone when I get up, leave a room or the likes.

So they decided to give it a try, not just make a solution to send it via SMS, that had been done before but to make it a personal scalable solution.

This is what they came up with:

Corporate Credentials Registry

They decided that the best way to find username and password were by using the existing domain so they decided to support LDAP integration. This means that on basis of LDAP and group membership you can have support people adding a new user to the ‘Need external Access Group’ and adding in his cell phone number under the ‘mobile’ area of the telephones section of your active directory and within 5 minutes the user can log on remotely using only his browser and his cell phone.

Load balancing services

This is something that was added in along the way as scalability required that customers could separate the roles and load balance between them. Ex. also to make sure a SMS (text message) would not be stuck on a Modem which for some reason stopped sending out messages.

Transmitter Services

These are in charge of dispatching the passcodes via the SMS modems to the users.

Authentication Clients

Now these are the important part. These are the agents for different access types. The currently supported agents are:

• Citrix Web interface
• Radius Challenge/Response
  • Checkpoint
  • Cisco
  • Citrix Access Gateway
  • Juniper
  • Etc.
• IIS sites(by using ISAPI filters)
  • Outlook Web Access 2003
  • Outlook Web Access 2007
  • IIS web sites using integrated windows authentication
• Windows logon(by altering the GINA)
  • Terminal Services
  • Windows Servers
  • Windows Workstations
• Logon Points in Citrix Access Gateway Advanced edition.

All these together support most of the interfaces I come across in my daily work.

So how does it work for the user?

The logon procedure is the same for all the authentication clients,

the user logs in using his username and password, if this is done correctly and Active Directory, Novell or whatever replies with OK, a passcode is sent to the phone number registered with the user and the user is presented for a field to ‘enter passcode’. When the user enters the passcode and it is done from the same session that initiated the request the user is validated and allowed inside. This method is by the way called challenge- and sessions based 2-factor authentication and is a more secure method than ex. regular hardware based tokens since it prevents phishing.

I have found the integrations that have been made so far have been done quite nicely, let me try to take you through a couple of examples.

Citrix Web interface

The log in page we all know.

If the username and password is validated, in this case in active directory, a passcode is sent to the cell number registered on the user in active directory. The user is then presented with a field to enter the passcode, with information on the status of the SMS

and how long the passcode is valid.

If the passcode is valid users gets approved and are allowed into the applications.

Cisco VPN client, using Radius challenge/response

As normally the user logs on with his Cisco VPN client

And after validation of username and password using radius a challenge is sent in shape of a text message to the cell phone and the use is presented with a passcode response field

After the passcode has been validated the user is allowed access.

Windows logon

And my last example in this post will be the Gina. I have spoken to quite a few customers who would like to publish a terminal server directly on the internet using just RDP. One way of making this kind of solution a bit safer is to integrate 2-factor authentification into the GINA of the terminal server.

Before I show how this works, let me just point out that it is possible to make local groups with people who are not prompted for passcode when they log on.

So… you log on to your terminal server using whatever URL in your remote desktop client.

And in the same manner as I showed earlier in the article it then ships a passcode to the users cell phone and prompts the user for the passcode.

The supported platforms at the moment for the GINA agent is

• Windows XP pro
• Windows Server 2003
• Windows Server 2003 x64
• Terminal Server running 2003 or 2003 x64

Is SMS PASSCODE the only way to go?

For sure no SMS PASSCODE provides a great way to deliver passcodes to the mobile work force. And luckily there is support for side-by-side functionality with SMS PASSCODE and RSA, Safeword so that you can use the best solution for the individual user.

So why is it that I am using SMS PASSCODE more and more?

Well for me SMS PASSCODE provides a stable, secure and scalable 2-factor authentication platform. It integrates in to most of the products I come across and on top of this it solves one of the main issues that my customers experience today.

On the administrative side of the token issue SMS PASSCODE solves quite a few of the pains for me.

• A user left the company
  • User is disabled in Active directory my helpdesk and thereby loses all remote access
• A token ran out of power
  • The cell phone is simply recharged on a regular basis
• A token had to be distributed to external consultants before they could work remotely
  • Users and cell numbers are simply added and the users gain remote access.
• Tokens had to be called back when the work of external consultants was done
  • Whenever the user is deleted or the cell number is removed, the license is freed up and can be used for another user.

We considered SMS before, but there is no QoS on SMS…

This is true but I will have to say that I have heard about problems when sending a SMS from a “western” SIM-card to a Chinese SIM-card. Sending a SMS from a Danish SIM-card to another Danish SIM-card in China is not a problem. The same seems to be the case in Slovakia. In these two cases I have had customers which have not been able to have the passcodes delivered in time, and for those users we have just raised the time limit of the OTP.

Besides that I have a lot of customers sending all their SMS’s from Denmark to users all over and the general opinion seems to be that this solves some of the token-pains for a large group of their users.

Conclusion

Everybody is using SMS today, everybody has a cell phone(how else would we vote in next episode of Idols?), why not use a device which is already found almost everywhere?

On the security and administrative side of things, I have heard of users where their token has been misplaced for weeks, months without them taking action. But whether it is a private cell phone or company cell phone, I have heard of only a few who has been able to live without it for more than a few days. And the users can even call their own Service provider and have their phone(token) locked out, saving the it-department the hassle of having a 24-7 phone support to help people who lose their tokens.

I want to become even more mobile and I think this product could help a lot of people to ease the troubles of having a secure remote access strategy.

/Rene Vester

Product outlineThe product consists of an engine, transmitters and modems. The engine tags the usernames to the predefined cell phone number for the user, and the transmitters and modems sends out the SMS-Text message.

The logon process with Citrix WI and AG

You connect to your Citrix Access Gateway as we all know it. There is no changes made to the Access Gateway as it is done in this example I setup "Forwarding of credentials" from the Access Gateway to the Citrix Web interface.
So I log in on my Access Gateway logon-point.

As I type in my username and password and hit ‘Login’ I am transferred to the Web interface-server and my username and password is forwarded from the Access Gateway. I am now prompted for a new pass code. This pass code is not in my possession but as soon as the SMSPasscode service detected my logon an SMS with my pass code was dispatched and arrives within a few seconds as a Flash-SMS on my cell phone. Whether you want a Flash-SMS or not is optional and can be configured from the web administration console.

As my cell phone lights up I type in the pass code and is forwarded to my accessible Citrix Applications.

The product seems very reliable, and easy to administrate when put into production and the great thing is that this product can coexist with Safeword or RSA and you are able to provide differentiated methods for 2-factor authentication, maybe you have external partners and want them to only log on once or twice, this is easily done with SMSPasscode as you can simply add a user and join it with a phone number in the administration interface and the user is able to log on, without having to dispatch a physical token to the partner or customer.

SMSPasscode is running on its third year and the product has matured nicely. Within a few months a new release will be out a version 2.0, to mention a few of the new features:
- Radius Server
- ISAPI
- LDAP

The new features will be welcomed and in particular I am looking forward to the radius option to see how well the integration will be directly on the Citrix Access Gateways. But all this will come hopefully within a month, and I will be sure to write a post about the version 2.0 release as soon as I get my hands on it.

Where do I see SMSPasscode integration in the near future

My personal belief is that this technology could actually mean the beginning of something great as I can imagine public institutions using this technology to provide 2-factor authentication when we are doing our taxes online, shopping for pizza or even when trusted users log in to the most confidential parts of our ERP, CRM or what have we. The technology is suddenly opening the door as we can now remove the logistics tied in with delivering a physical token to customers, partners or employees.

My impression so far

As it has might shown through this post I am very excited about this new product and the possibilities. The features to support a Citrix Access infrastructure is in place and works very well and the next exciting step for me will be when we get the extended integration in form of ISAPI, LDAP and Radius.

I will deliver an update on SMSPasscode as soon I have had a chance to work more with the version 2.0. If you want more information you are welcome to contact me or take a look around www.smspasscode.dk they have a good site with lots of good information, screenshots and testimonials from their many large Danish customers.

/Rene Vester