Thanks Jay...that makes it a little clearer. Just so I'm sure I understand..here's what I intend on doing with the = remaining "grey" areas. 1. Secure Ticket Authority (STA)running on a server named "sta_server" = inside of the firewall. (I indend on loading STA on another existing = server as from what I've read, STA isn't that intensive that it needs = its own dedicated server--correct?) 2. CSG, and Verisign on a server named "csg_server" in the DMZ. (Do I = need to install a seperate instance of nFuse on the "csg_server" or can = this route to my internal nFuse server?) 3. Configure firewall to open ports 443 and 80. (What about the XML = service port? I have it on a different port than port 80) =20 _____ =20 =20 Brian Claus, A+, Network+, MCP Network Administrator WESCO Distribution, Inc. 225 West Station Square Drive, Suite 700 Pittsburgh, PA 15219-1122 Phone: 412-454-2412 Fax: 412-454-2540 bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=20 _____ =20 -----Original Message----- From: Schaefer, Jay [mailto:JSchaefer@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, June 03, 2003 11:28 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: CSG implementation Another thing to watch out for, with Secure Gateway for MetaFrame V. 2.0 Citrix suggests putting Web Interface (NFUSE) and Secure Gateway on the = same box. Unless of course you are like us and implementing RSA security = along with it, then they say you can put then on separate boxes. =20 I too have found very little documentation, but it really didn't go that bad. I still have to incorporate the RSA part, but the STA, Secure = Gateway and Web Interface installs were pretty easy once I figured out Trial Certificates from Verisign, require a special client install for any = browser hitting it. STA is on the inside, CSG & Web Interface Servers on DMZ with only port = 443 open from outside. Jay -----Original Message----- From: Claus, Brian [mailto:BClaus@xxxxxxxxxxxxx] Sent: Tuesday, June 03, 2003 9:43 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CSG implementation I'm still in the design phase. Does anyone have any white papers \ best = =3D practices information on installing and configuring CSG? The stuff I've = =3D found on Citrix's web site is lacking... =3D20 _____ =3D20 =3D20 Brian Claus, A+, Network+, MCP Network Administrator WESCO Distribution, Inc. 225 West Station Square Drive, Suite 700 Pittsburgh, PA 15219-1122 Phone: 412-454-2412 Fax: 412-454-2540 bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=3D20 _____ =3D20 -----Original Message----- From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx] Sent: Tuesday, June 03, 2003 10:22 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: CSG implementation Well, it depends... are you running the Gateway on the same box as =3D NFuse? I'm not. Anyway, open only the ports you need. It is far more secure. = =3D And remember, the XML communication takes place from the DMZ to the internal network. It does not need to be visible externally. You need 80 so =3D that NFuse can communicate AND so that the certificate can be resolved, and = =3D 443 for security communications. I do it the recommended way and run a =3D seperate server for NFuse and for my Secure Gateway box. Both have only 80 and = =3D 443 open to them externally. The SG box has IIS disabled. It works well. -Paul > ---------- > From: Claus, Brian[SMTP:BClaus@xxxxxxxxxxxxx] > Reply To: thin@xxxxxxxxxxxxx > Sent: Tuesday, June 03, 2003 10:04 AM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: CSG implementation >=3D20 > What about custom apps? Will they work if only 80 and 443 are open? > (I'm assuming you mean that your nfuse server uses port 80 to > communicate via XML...I don't use 80) >=3D20 > =3D3D20 >=3D20 > _____ =3D3D20 >=3D20 > =3D3D20 > Brian Claus, A+, Network+, MCP > Network Administrator > WESCO Distribution, Inc. > 225 West Station Square Drive, Suite 700 > Pittsburgh, PA 15219-1122 > Phone: 412-454-2412 > Fax: 412-454-2540 > bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=3D3D20 > _____ =3D3D20 >=3D20 >=3D20 >=3D20 > -----Original Message----- > From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx] > Sent: Tuesday, June 03, 2003 9:21 AM > To: 'thin@xxxxxxxxxxxxx' > Subject: [THIN] Re: CSG implementation >=3D20 >=3D20 > I prefer it in the DMZ. Then you can specify the ports that are =3D allowed > to > pass through to it (80 and 443 only) which really cuts down the > vulnerability. >=3D20 > -Paul >=3D20 > > ---------- > > From: Claus, Brian[SMTP:BClaus@xxxxxxxxxxxxx] > > Reply To: thin@xxxxxxxxxxxxx > > Sent: Tuesday, June 03, 2003 9:17 AM > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] Re: CSG implementation > >=3D3D20 > > In reading from the Brian Madden book (FR2) I get the following, is > this > > correct? > >=3D3D20 > > 1 nFuse server in DMZ or outside of the firewall with a verisign =3D cert > on > > it > > 1 STA inside the firewall > >=3D3D20 > > From the book, it looks like having it outside the firewall is the > best > > config security wise and easier to set up the open ports in the > firewall > > compared to the DMZ model. > >=3D3D20 > > Thoughts? > > =3D3D3D20 > >=3D3D20 > > _____ =3D3D3D20 > >=3D3D20 > > =3D3D3D20 > > Brian Claus, A+, Network+, MCP > > Network Administrator > > WESCO Distribution, Inc. > > 225 West Station Square Drive, Suite 700 > > Pittsburgh, PA 15219-1122 > > Phone: 412-454-2412 > > Fax: 412-454-2540 > > bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=3D3D3D20 > > _____ =3D3D3D20 > >=3D3D20 > >=3D3D20 > >=3D3D20 > > -----Original Message----- > > From: Roger Riggins [mailto:Roger@xxxxxxxxxxxx] > > Sent: Monday, June 02, 2003 6:03 PM > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] Re: CSG implementation > >=3D3D20 > >=3D3D20 > > CSG should be in the DMZ. It can be on the same box as NFuse with a > > tweak or two. STA should go inside, and can share resources with > another > > box. If you are purchasing your certs, you don't need a = CA.=3D3D3D3D20 > >=3D3D20 > > Roger > >=3D3D20 > > -----Original Message----- > > From: SPerez@xxxxxxxxxxxxxxx =3D [mailto:SPerez@xxxxxxxxxxxxxxx]=3D3D3D3D20 > > Sent: Monday, June 02, 2003 11:29 AM > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] CSG implementation > >=3D3D20 > > Group, > >=3D3D20 > > Environment is Windows 2K Servers running MF XP FR2 w/w2k sp3. > >=3D3D20 > > I currently use NFuse 1.61 with project columbia for one NFuse site > > hosting > > internal and external users. > >=3D3D20 > > I would like to implement CSG 2.0. > >=3D3D20 > > Do I need to have a CA running? > > Also is it best to have CSG on a separate server then NFuse site? > > Does CSG need to reside on the inside or can it reside in the DMZ? > >=3D3D20 > > Thank You, > > Steve > >=3D3D20 > > ******************************************************** > > This Week's Sponsor - Appsense Technologies > > New! AppSense Optimizer is a new product from AppSense=3D3D3D3D20 > > designed to increase the user capacity of your servers.=3D3D3D3D20 > > http://www.appsense.com/ > > ********************************************************** > >=3D3D20 > > For Archives, to Unsubscribe, Subscribe or=3D3D3D3D20 > > set Digest or Vacation mode use the below link: > > http://thethin.net/citrixlist.cfm > > ******************************************************** > > This Week's Sponsor - Appsense Technologies > > New! AppSense Optimizer is a new product from AppSense=3D3D3D20 > > designed to increase the user capacity of your servers.=3D3D3D20 > > http://www.appsense.com/ > > ********************************************************** > >=3D3D20 > > For Archives, to Unsubscribe, Subscribe or=3D3D3D20 > > set Digest or Vacation mode use the below link: > > http://thethin.net/citrixlist.cfm > > ******************************************************** > > This Week's Sponsor - Appsense Technologies > > New! AppSense Optimizer is a new product from AppSense=3D3D20 > > designed to increase the user capacity of your servers.=3D3D20 > > http://www.appsense.com/ > > ********************************************************** > >=3D3D20 > > For Archives, to Unsubscribe, Subscribe or=3D3D20 > > set Digest or Vacation mode use the below link: > > http://thethin.net/citrixlist.cfm > >=3D3D20 > ******************************************************** > This Week's Sponsor - Appsense Technologies > New! AppSense Optimizer is a new product from AppSense=3D3D20 > designed to increase the user capacity of your servers.=3D3D20 > http://www.appsense.com/ > ********************************************************** >=3D20 > For Archives, to Unsubscribe, Subscribe or=3D3D20 > set Digest or Vacation mode use the below link: > http://thethin.net/citrixlist.cfm > ******************************************************** > This Week's Sponsor - Appsense Technologies > New! AppSense Optimizer is a new product from AppSense=3D20 > designed to increase the user capacity of your servers.=3D20 > http://www.appsense.com/ > ********************************************************** >=3D20 > For Archives, to Unsubscribe, Subscribe or=3D20 > set Digest or Vacation mode use the below link: > http://thethin.net/citrixlist.cfm >=3D20 ******************************************************** This Week's Sponsor - Appsense Technologies New! AppSense Optimizer is a new product from AppSense=3D20 designed to increase the user capacity of your servers.=3D20 http://www.appsense.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or=3D20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - Appsense Technologies New! AppSense Optimizer is a new product from AppSense=20 designed to increase the user capacity of your servers.=20 http://www.appsense.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - Appsense Technologies New! AppSense Optimizer is a new product from AppSense=20 designed to increase the user capacity of your servers.=20 http://www.appsense.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - Appsense Technologies New! AppSense Optimizer is a new product from AppSense designed to increase the user capacity of your servers. http://www.appsense.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm