[THIN] Re: CSG implementation

• From: "Schaefer, Jay" <JSchaefer@xxxxxxxxxxxxxxxxxx>
• To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
• Date: Tue, 3 Jun 2003 12:57:39 -0500

Brian - 

1. It looks like STA requirements seem very low to me.  I loaded it onto a
high-end PC.  I've heard people loading it onto a Metaframe server ok too.
Port 443 is open from the DMZ to the inside to it.  A SSL Certificate I
believe is needed on the STA.  

2. CSG (and another SSL certificate) is in the DMZ with port 443 open to the
outside.   I doubt you want to route traffic from the outside to your
internal NFuse server, so you should load NFuse (sorry, Web Services 2.0) to
this also.  Like I mentioned, I have Web Services on another server in the
DMZ so I can't help you with specifics here.

3. Whatever port XML is on (default 80), must be open from the DMZ to the
inside to your Metaframe servers with XML.

I'm curious if others are doing the same or different....  I should be done
with everything in a few days so maybe I'll put together a tutorial on this.


Here are the documents I found helpful (some are for older versions, but
still have helpful info):

Pre-installation Checklist for Secure Gateway for Metaframe V 2.0
(mycitrix.com under Secure Gateway docs)
Admin Guide for Secure Gateway for Metaframe V 2.0 (mycitrix.com under
Secure Gateway docs)
http://www.tweakcitrix.com/Site%20File%20Repository/Implementing%20Project%2
0Willamette.doc
http://www.ccaheaven.com/wps/RSA%20SecurID%20integration%20with%20NFuse.pdf
http://www.dabcc.com/thinsol/csg/Docs/CSG%20v1.1%20FAQ%20Aug%202002.doc
http://www.fgagne.org/Doc/Citrix_NFuse_CSG_SecurID_5.pdf
http://thethin.net/whitepapers/MetaframeXP/Project_Willamette_0.5.zip 


Jay


-----Original Message-----
From: Claus, Brian [mailto:BClaus@xxxxxxxxxxxxx]
Sent: Tuesday, June 03, 2003 12:04 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: CSG implementation


Thanks Jay...that makes it a little clearer.

Just so I'm sure I understand..here's what I intend on doing with the =
remaining "grey" areas.

1.  Secure Ticket Authority (STA)running on a server named "sta_server" =
inside of the firewall.  (I indend on loading STA on another existing =
server as from what I've read, STA isn't that intensive that it needs =
its own dedicated server--correct?)

2.  CSG, and Verisign on a server named "csg_server" in the DMZ.  (Do I =
need to install a seperate instance of nFuse on the "csg_server" or can =
this route to my internal nFuse server?)

3.  Configure firewall to open ports 443 and 80.  (What about the XML =
service port?  I have it on a different port than port 80)



=20

  _____ =20

=20
Brian Claus, A+, Network+, MCP
Network Administrator
WESCO Distribution, Inc.
225 West Station Square Drive, Suite 700
Pittsburgh, PA 15219-1122
Phone:  412-454-2412
Fax:  412-454-2540
bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=20
  _____ =20



-----Original Message-----
From: Schaefer, Jay [mailto:JSchaefer@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, June 03, 2003 11:28 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: CSG implementation


Another thing to watch out for, with Secure Gateway for MetaFrame V. 2.0
Citrix suggests putting Web Interface (NFUSE) and Secure Gateway on the =
same
box.  Unless of course you are like us and implementing RSA security =
along
with it, then they say you can put then on separate boxes. =20

I too have found very little documentation, but it really didn't go that
bad.  I still have to incorporate the RSA part, but the STA, Secure =
Gateway
and Web Interface installs were pretty easy once I figured out Trial
Certificates from Verisign, require a special client install for any =
browser
hitting it.

STA is on the inside, CSG & Web Interface Servers on DMZ with only port =
443
open from outside.

Jay

-----Original Message-----
From: Claus, Brian [mailto:BClaus@xxxxxxxxxxxxx]
Sent: Tuesday, June 03, 2003 9:43 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: CSG implementation


I'm still in the design phase.  Does anyone have any white papers \ best =
=3D
practices information on installing and configuring CSG?  The stuff I've =
=3D
found on Citrix's web site is lacking...

=3D20

  _____ =3D20

=3D20
Brian Claus, A+, Network+, MCP
Network Administrator
WESCO Distribution, Inc.
225 West Station Square Drive, Suite 700
Pittsburgh, PA 15219-1122
Phone:  412-454-2412
Fax:  412-454-2540
bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=3D20
  _____ =3D20



-----Original Message-----
From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx]
Sent: Tuesday, June 03, 2003 10:22 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: CSG implementation


Well, it depends... are you running the Gateway on the same box as =3D
NFuse?
I'm not.  Anyway, open only the ports you need.  It is far more secure.  =
=3D
And
remember, the XML communication takes place from the DMZ to the internal
network.  It does not need to be visible externally.  You need 80 so =3D
that
NFuse can communicate AND so that the certificate can be resolved, and =
=3D
443
for security communications.  I do it the recommended way and run a =3D
seperate
server for NFuse and for my Secure Gateway box.  Both have only 80 and =
=3D
443
open to them externally.  The SG box has IIS disabled.  It works well.

-Paul

> ----------
> From:         Claus, Brian[SMTP:BClaus@xxxxxxxxxxxxx]
> Reply To:     thin@xxxxxxxxxxxxx
> Sent:         Tuesday, June 03, 2003 10:04 AM
> To:   thin@xxxxxxxxxxxxx
> Subject:      [THIN] Re: CSG implementation
>=3D20
> What about custom apps?  Will they work if only 80 and 443 are open?
> (I'm assuming you mean that your nfuse server uses port 80 to
> communicate via XML...I don't use 80)
>=3D20
> =3D3D20
>=3D20
>   _____ =3D3D20
>=3D20
> =3D3D20
> Brian Claus, A+, Network+, MCP
> Network Administrator
> WESCO Distribution, Inc.
> 225 West Station Square Drive, Suite 700
> Pittsburgh, PA 15219-1122
> Phone:  412-454-2412
> Fax:  412-454-2540
> bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=3D3D20
>   _____ =3D3D20
>=3D20
>=3D20
>=3D20
> -----Original Message-----
> From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx]
> Sent: Tuesday, June 03, 2003 9:21 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: CSG implementation
>=3D20
>=3D20
> I prefer it in the DMZ.  Then you can specify the ports that are =3D
allowed
> to
> pass through to it (80 and 443 only) which really cuts down the
> vulnerability.
>=3D20
> -Paul
>=3D20
> > ----------
> > From:       Claus, Brian[SMTP:BClaus@xxxxxxxxxxxxx]
> > Reply To:   thin@xxxxxxxxxxxxx
> > Sent:       Tuesday, June 03, 2003 9:17 AM
> > To:         thin@xxxxxxxxxxxxx
> > Subject:    [THIN] Re: CSG implementation
> >=3D3D20
> > In reading from the Brian Madden book (FR2) I get the following, is
> this
> > correct?
> >=3D3D20
> > 1 nFuse server in DMZ or outside of the firewall with a verisign =3D
cert
> on
> > it
> > 1 STA inside the firewall
> >=3D3D20
> > From the book, it looks like having it outside the firewall is the
> best
> > config security wise and easier to set up the open ports in the
> firewall
> > compared to the DMZ model.
> >=3D3D20
> > Thoughts?
> > =3D3D3D20
> >=3D3D20
> >   _____ =3D3D3D20
> >=3D3D20
> > =3D3D3D20
> > Brian Claus, A+, Network+, MCP
> > Network Administrator
> > WESCO Distribution, Inc.
> > 225 West Station Square Drive, Suite 700
> > Pittsburgh, PA 15219-1122
> > Phone:  412-454-2412
> > Fax:  412-454-2540
> > bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=3D3D3D20
> >   _____ =3D3D3D20
> >=3D3D20
> >=3D3D20
> >=3D3D20
> > -----Original Message-----
> > From: Roger Riggins [mailto:Roger@xxxxxxxxxxxx]
> > Sent: Monday, June 02, 2003 6:03 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: CSG implementation
> >=3D3D20
> >=3D3D20
> > CSG should be in the DMZ. It can be on the same box as NFuse with a
> > tweak or two. STA should go inside, and can share resources with
> another
> > box. If you are purchasing your certs, you don't need a =
CA.=3D3D3D3D20
> >=3D3D20
> > Roger
> >=3D3D20
> > -----Original Message-----
> > From: SPerez@xxxxxxxxxxxxxxx =3D
[mailto:SPerez@xxxxxxxxxxxxxxx]=3D3D3D3D20
> > Sent: Monday, June 02, 2003 11:29 AM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] CSG implementation
> >=3D3D20
> > Group,
> >=3D3D20
> > Environment is Windows 2K Servers running MF XP FR2 w/w2k sp3.
> >=3D3D20
> > I currently use NFuse 1.61 with project columbia for one NFuse site
> > hosting
> > internal and external users.
> >=3D3D20
> > I would like to implement CSG 2.0.
> >=3D3D20
> > Do I need to have a CA running?
> > Also is it best to have CSG on a separate server then NFuse site?
> > Does CSG need to reside on the inside or can it reside in the DMZ?
> >=3D3D20
> > Thank You,
> > Steve
> >=3D3D20
> > ********************************************************
> > This Week's Sponsor - Appsense Technologies
> > New! AppSense Optimizer is a new product from AppSense=3D3D3D3D20
> > designed to increase the user capacity of your servers.=3D3D3D3D20
> > http://www.appsense.com/
> > **********************************************************
> >=3D3D20
> > For Archives, to Unsubscribe, Subscribe or=3D3D3D3D20
> > set Digest or Vacation mode use the below link:
> > http://thethin.net/citrixlist.cfm
> > ********************************************************
> > This Week's Sponsor - Appsense Technologies
> > New! AppSense Optimizer is a new product from AppSense=3D3D3D20
> > designed to increase the user capacity of your servers.=3D3D3D20
> > http://www.appsense.com/
> > **********************************************************
> >=3D3D20
> > For Archives, to Unsubscribe, Subscribe or=3D3D3D20
> > set Digest or Vacation mode use the below link:
> > http://thethin.net/citrixlist.cfm
> > ********************************************************
> > This Week's Sponsor - Appsense Technologies
> > New! AppSense Optimizer is a new product from AppSense=3D3D20
> > designed to increase the user capacity of your servers.=3D3D20
> > http://www.appsense.com/
> > **********************************************************
> >=3D3D20
> > For Archives, to Unsubscribe, Subscribe or=3D3D20
> > set Digest or Vacation mode use the below link:
> > http://thethin.net/citrixlist.cfm
> >=3D3D20
> ********************************************************
> This Week's Sponsor - Appsense Technologies
> New! AppSense Optimizer is a new product from AppSense=3D3D20
> designed to increase the user capacity of your servers.=3D3D20
> http://www.appsense.com/
> **********************************************************
>=3D20
> For Archives, to Unsubscribe, Subscribe or=3D3D20
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
> ********************************************************
> This Week's Sponsor - Appsense Technologies
> New! AppSense Optimizer is a new product from AppSense=3D20
> designed to increase the user capacity of your servers.=3D20
> http://www.appsense.com/
> **********************************************************
>=3D20
> For Archives, to Unsubscribe, Subscribe or=3D20
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
>=3D20
********************************************************
This Week's Sponsor - Appsense Technologies
New! AppSense Optimizer is a new product from AppSense=3D20
designed to increase the user capacity of your servers.=3D20
http://www.appsense.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or=3D20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Appsense Technologies
New! AppSense Optimizer is a new product from AppSense=20
designed to increase the user capacity of your servers.=20
http://www.appsense.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Appsense Technologies
New! AppSense Optimizer is a new product from AppSense=20
designed to increase the user capacity of your servers.=20
http://www.appsense.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Appsense Technologies
New! AppSense Optimizer is a new product from AppSense 
designed to increase the user capacity of your servers. 
http://www.appsense.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Appsense Technologies
New! AppSense Optimizer is a new product from AppSense 
designed to increase the user capacity of your servers. 
http://www.appsense.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation

1. Home
2. thin
3. Archive
4. 06-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---