[THIN] Re: CSG implementation

• From: "Schaefer, Jay" <JSchaefer@xxxxxxxxxxxxxxxxxx>
• To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
• Date: Tue, 3 Jun 2003 10:27:56 -0500

Another thing to watch out for, with Secure Gateway for MetaFrame V. 2.0
Citrix suggests putting Web Interface (NFUSE) and Secure Gateway on the same
box.  Unless of course you are like us and implementing RSA security along
with it, then they say you can put then on separate boxes.  

I too have found very little documentation, but it really didn't go that
bad.  I still have to incorporate the RSA part, but the STA, Secure Gateway
and Web Interface installs were pretty easy once I figured out Trial
Certificates from Verisign, require a special client install for any browser
hitting it.

STA is on the inside, CSG & Web Interface Servers on DMZ with only port 443
open from outside.

Jay

-----Original Message-----
From: Claus, Brian [mailto:BClaus@xxxxxxxxxxxxx]
Sent: Tuesday, June 03, 2003 9:43 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: CSG implementation


I'm still in the design phase.  Does anyone have any white papers \ best =
practices information on installing and configuring CSG?  The stuff I've =
found on Citrix's web site is lacking...

=20

  _____ =20

=20
Brian Claus, A+, Network+, MCP
Network Administrator
WESCO Distribution, Inc.
225 West Station Square Drive, Suite 700
Pittsburgh, PA 15219-1122
Phone:  412-454-2412
Fax:  412-454-2540
bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=20
  _____ =20



-----Original Message-----
From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx]
Sent: Tuesday, June 03, 2003 10:22 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: CSG implementation


Well, it depends... are you running the Gateway on the same box as =
NFuse?
I'm not.  Anyway, open only the ports you need.  It is far more secure.  =
And
remember, the XML communication takes place from the DMZ to the internal
network.  It does not need to be visible externally.  You need 80 so =
that
NFuse can communicate AND so that the certificate can be resolved, and =
443
for security communications.  I do it the recommended way and run a =
seperate
server for NFuse and for my Secure Gateway box.  Both have only 80 and =
443
open to them externally.  The SG box has IIS disabled.  It works well.

-Paul

> ----------
> From:         Claus, Brian[SMTP:BClaus@xxxxxxxxxxxxx]
> Reply To:     thin@xxxxxxxxxxxxx
> Sent:         Tuesday, June 03, 2003 10:04 AM
> To:   thin@xxxxxxxxxxxxx
> Subject:      [THIN] Re: CSG implementation
>=20
> What about custom apps?  Will they work if only 80 and 443 are open?
> (I'm assuming you mean that your nfuse server uses port 80 to
> communicate via XML...I don't use 80)
>=20
> =3D20
>=20
>   _____ =3D20
>=20
> =3D20
> Brian Claus, A+, Network+, MCP
> Network Administrator
> WESCO Distribution, Inc.
> 225 West Station Square Drive, Suite 700
> Pittsburgh, PA 15219-1122
> Phone:  412-454-2412
> Fax:  412-454-2540
> bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=3D20
>   _____ =3D20
>=20
>=20
>=20
> -----Original Message-----
> From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx]
> Sent: Tuesday, June 03, 2003 9:21 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: CSG implementation
>=20
>=20
> I prefer it in the DMZ.  Then you can specify the ports that are =
allowed
> to
> pass through to it (80 and 443 only) which really cuts down the
> vulnerability.
>=20
> -Paul
>=20
> > ----------
> > From:       Claus, Brian[SMTP:BClaus@xxxxxxxxxxxxx]
> > Reply To:   thin@xxxxxxxxxxxxx
> > Sent:       Tuesday, June 03, 2003 9:17 AM
> > To:         thin@xxxxxxxxxxxxx
> > Subject:    [THIN] Re: CSG implementation
> >=3D20
> > In reading from the Brian Madden book (FR2) I get the following, is
> this
> > correct?
> >=3D20
> > 1 nFuse server in DMZ or outside of the firewall with a verisign =
cert
> on
> > it
> > 1 STA inside the firewall
> >=3D20
> > From the book, it looks like having it outside the firewall is the
> best
> > config security wise and easier to set up the open ports in the
> firewall
> > compared to the DMZ model.
> >=3D20
> > Thoughts?
> > =3D3D20
> >=3D20
> >   _____ =3D3D20
> >=3D20
> > =3D3D20
> > Brian Claus, A+, Network+, MCP
> > Network Administrator
> > WESCO Distribution, Inc.
> > 225 West Station Square Drive, Suite 700
> > Pittsburgh, PA 15219-1122
> > Phone:  412-454-2412
> > Fax:  412-454-2540
> > bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=3D3D20
> >   _____ =3D3D20
> >=3D20
> >=3D20
> >=3D20
> > -----Original Message-----
> > From: Roger Riggins [mailto:Roger@xxxxxxxxxxxx]
> > Sent: Monday, June 02, 2003 6:03 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: CSG implementation
> >=3D20
> >=3D20
> > CSG should be in the DMZ. It can be on the same box as NFuse with a
> > tweak or two. STA should go inside, and can share resources with
> another
> > box. If you are purchasing your certs, you don't need a CA.=3D3D3D20
> >=3D20
> > Roger
> >=3D20
> > -----Original Message-----
> > From: SPerez@xxxxxxxxxxxxxxx =
[mailto:SPerez@xxxxxxxxxxxxxxx]=3D3D3D20
> > Sent: Monday, June 02, 2003 11:29 AM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] CSG implementation
> >=3D20
> > Group,
> >=3D20
> > Environment is Windows 2K Servers running MF XP FR2 w/w2k sp3.
> >=3D20
> > I currently use NFuse 1.61 with project columbia for one NFuse site
> > hosting
> > internal and external users.
> >=3D20
> > I would like to implement CSG 2.0.
> >=3D20
> > Do I need to have a CA running?
> > Also is it best to have CSG on a separate server then NFuse site?
> > Does CSG need to reside on the inside or can it reside in the DMZ?
> >=3D20
> > Thank You,
> > Steve
> >=3D20
> > ********************************************************
> > This Week's Sponsor - Appsense Technologies
> > New! AppSense Optimizer is a new product from AppSense=3D3D3D20
> > designed to increase the user capacity of your servers.=3D3D3D20
> > http://www.appsense.com/
> > **********************************************************
> >=3D20
> > For Archives, to Unsubscribe, Subscribe or=3D3D3D20
> > set Digest or Vacation mode use the below link:
> > http://thethin.net/citrixlist.cfm
> > ********************************************************
> > This Week's Sponsor - Appsense Technologies
> > New! AppSense Optimizer is a new product from AppSense=3D3D20
> > designed to increase the user capacity of your servers.=3D3D20
> > http://www.appsense.com/
> > **********************************************************
> >=3D20
> > For Archives, to Unsubscribe, Subscribe or=3D3D20
> > set Digest or Vacation mode use the below link:
> > http://thethin.net/citrixlist.cfm
> > ********************************************************
> > This Week's Sponsor - Appsense Technologies
> > New! AppSense Optimizer is a new product from AppSense=3D20
> > designed to increase the user capacity of your servers.=3D20
> > http://www.appsense.com/
> > **********************************************************
> >=3D20
> > For Archives, to Unsubscribe, Subscribe or=3D20
> > set Digest or Vacation mode use the below link:
> > http://thethin.net/citrixlist.cfm
> >=3D20
> ********************************************************
> This Week's Sponsor - Appsense Technologies
> New! AppSense Optimizer is a new product from AppSense=3D20
> designed to increase the user capacity of your servers.=3D20
> http://www.appsense.com/
> **********************************************************
>=20
> For Archives, to Unsubscribe, Subscribe or=3D20
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
> ********************************************************
> This Week's Sponsor - Appsense Technologies
> New! AppSense Optimizer is a new product from AppSense=20
> designed to increase the user capacity of your servers.=20
> http://www.appsense.com/
> **********************************************************
>=20
> For Archives, to Unsubscribe, Subscribe or=20
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
>=20
********************************************************
This Week's Sponsor - Appsense Technologies
New! AppSense Optimizer is a new product from AppSense=20
designed to increase the user capacity of your servers.=20
http://www.appsense.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Appsense Technologies
New! AppSense Optimizer is a new product from AppSense 
designed to increase the user capacity of your servers. 
http://www.appsense.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Appsense Technologies
New! AppSense Optimizer is a new product from AppSense 
designed to increase the user capacity of your servers. 
http://www.appsense.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation
• » [THIN] Re: CSG implementation

1. Home
2. thin
3. Archive
4. 06-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---