Another thing to watch out for, with Secure Gateway for MetaFrame V. 2.0 Citrix suggests putting Web Interface (NFUSE) and Secure Gateway on the same box. Unless of course you are like us and implementing RSA security along with it, then they say you can put then on separate boxes. I too have found very little documentation, but it really didn't go that bad. I still have to incorporate the RSA part, but the STA, Secure Gateway and Web Interface installs were pretty easy once I figured out Trial Certificates from Verisign, require a special client install for any browser hitting it. STA is on the inside, CSG & Web Interface Servers on DMZ with only port 443 open from outside. Jay -----Original Message----- From: Claus, Brian [mailto:BClaus@xxxxxxxxxxxxx] Sent: Tuesday, June 03, 2003 9:43 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CSG implementation I'm still in the design phase. Does anyone have any white papers \ best = practices information on installing and configuring CSG? The stuff I've = found on Citrix's web site is lacking... =20 _____ =20 =20 Brian Claus, A+, Network+, MCP Network Administrator WESCO Distribution, Inc. 225 West Station Square Drive, Suite 700 Pittsburgh, PA 15219-1122 Phone: 412-454-2412 Fax: 412-454-2540 bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=20 _____ =20 -----Original Message----- From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx] Sent: Tuesday, June 03, 2003 10:22 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: CSG implementation Well, it depends... are you running the Gateway on the same box as = NFuse? I'm not. Anyway, open only the ports you need. It is far more secure. = And remember, the XML communication takes place from the DMZ to the internal network. It does not need to be visible externally. You need 80 so = that NFuse can communicate AND so that the certificate can be resolved, and = 443 for security communications. I do it the recommended way and run a = seperate server for NFuse and for my Secure Gateway box. Both have only 80 and = 443 open to them externally. The SG box has IIS disabled. It works well. -Paul > ---------- > From: Claus, Brian[SMTP:BClaus@xxxxxxxxxxxxx] > Reply To: thin@xxxxxxxxxxxxx > Sent: Tuesday, June 03, 2003 10:04 AM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: CSG implementation >=20 > What about custom apps? Will they work if only 80 and 443 are open? > (I'm assuming you mean that your nfuse server uses port 80 to > communicate via XML...I don't use 80) >=20 > =3D20 >=20 > _____ =3D20 >=20 > =3D20 > Brian Claus, A+, Network+, MCP > Network Administrator > WESCO Distribution, Inc. > 225 West Station Square Drive, Suite 700 > Pittsburgh, PA 15219-1122 > Phone: 412-454-2412 > Fax: 412-454-2540 > bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=3D20 > _____ =3D20 >=20 >=20 >=20 > -----Original Message----- > From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx] > Sent: Tuesday, June 03, 2003 9:21 AM > To: 'thin@xxxxxxxxxxxxx' > Subject: [THIN] Re: CSG implementation >=20 >=20 > I prefer it in the DMZ. Then you can specify the ports that are = allowed > to > pass through to it (80 and 443 only) which really cuts down the > vulnerability. >=20 > -Paul >=20 > > ---------- > > From: Claus, Brian[SMTP:BClaus@xxxxxxxxxxxxx] > > Reply To: thin@xxxxxxxxxxxxx > > Sent: Tuesday, June 03, 2003 9:17 AM > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] Re: CSG implementation > >=3D20 > > In reading from the Brian Madden book (FR2) I get the following, is > this > > correct? > >=3D20 > > 1 nFuse server in DMZ or outside of the firewall with a verisign = cert > on > > it > > 1 STA inside the firewall > >=3D20 > > From the book, it looks like having it outside the firewall is the > best > > config security wise and easier to set up the open ports in the > firewall > > compared to the DMZ model. > >=3D20 > > Thoughts? > > =3D3D20 > >=3D20 > > _____ =3D3D20 > >=3D20 > > =3D3D20 > > Brian Claus, A+, Network+, MCP > > Network Administrator > > WESCO Distribution, Inc. > > 225 West Station Square Drive, Suite 700 > > Pittsburgh, PA 15219-1122 > > Phone: 412-454-2412 > > Fax: 412-454-2540 > > bclaus@xxxxxxxxxxxxx <mailto:bclaus@xxxxxxxxxxxxx>=3D3D20 > > _____ =3D3D20 > >=3D20 > >=3D20 > >=3D20 > > -----Original Message----- > > From: Roger Riggins [mailto:Roger@xxxxxxxxxxxx] > > Sent: Monday, June 02, 2003 6:03 PM > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] Re: CSG implementation > >=3D20 > >=3D20 > > CSG should be in the DMZ. It can be on the same box as NFuse with a > > tweak or two. STA should go inside, and can share resources with > another > > box. If you are purchasing your certs, you don't need a CA.=3D3D3D20 > >=3D20 > > Roger > >=3D20 > > -----Original Message----- > > From: SPerez@xxxxxxxxxxxxxxx = [mailto:SPerez@xxxxxxxxxxxxxxx]=3D3D3D20 > > Sent: Monday, June 02, 2003 11:29 AM > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] CSG implementation > >=3D20 > > Group, > >=3D20 > > Environment is Windows 2K Servers running MF XP FR2 w/w2k sp3. > >=3D20 > > I currently use NFuse 1.61 with project columbia for one NFuse site > > hosting > > internal and external users. > >=3D20 > > I would like to implement CSG 2.0. > >=3D20 > > Do I need to have a CA running? > > Also is it best to have CSG on a separate server then NFuse site? > > Does CSG need to reside on the inside or can it reside in the DMZ? > >=3D20 > > Thank You, > > Steve > >=3D20 > > ******************************************************** > > This Week's Sponsor - Appsense Technologies > > New! AppSense Optimizer is a new product from AppSense=3D3D3D20 > > designed to increase the user capacity of your servers.=3D3D3D20 > > http://www.appsense.com/ > > ********************************************************** > >=3D20 > > For Archives, to Unsubscribe, Subscribe or=3D3D3D20 > > set Digest or Vacation mode use the below link: > > http://thethin.net/citrixlist.cfm > > ******************************************************** > > This Week's Sponsor - Appsense Technologies > > New! AppSense Optimizer is a new product from AppSense=3D3D20 > > designed to increase the user capacity of your servers.=3D3D20 > > http://www.appsense.com/ > > ********************************************************** > >=3D20 > > For Archives, to Unsubscribe, Subscribe or=3D3D20 > > set Digest or Vacation mode use the below link: > > http://thethin.net/citrixlist.cfm > > ******************************************************** > > This Week's Sponsor - Appsense Technologies > > New! AppSense Optimizer is a new product from AppSense=3D20 > > designed to increase the user capacity of your servers.=3D20 > > http://www.appsense.com/ > > ********************************************************** > >=3D20 > > For Archives, to Unsubscribe, Subscribe or=3D20 > > set Digest or Vacation mode use the below link: > > http://thethin.net/citrixlist.cfm > >=3D20 > ******************************************************** > This Week's Sponsor - Appsense Technologies > New! AppSense Optimizer is a new product from AppSense=3D20 > designed to increase the user capacity of your servers.=3D20 > http://www.appsense.com/ > ********************************************************** >=20 > For Archives, to Unsubscribe, Subscribe or=3D20 > set Digest or Vacation mode use the below link: > http://thethin.net/citrixlist.cfm > ******************************************************** > This Week's Sponsor - Appsense Technologies > New! AppSense Optimizer is a new product from AppSense=20 > designed to increase the user capacity of your servers.=20 > http://www.appsense.com/ > ********************************************************** >=20 > For Archives, to Unsubscribe, Subscribe or=20 > set Digest or Vacation mode use the below link: > http://thethin.net/citrixlist.cfm >=20 ******************************************************** This Week's Sponsor - Appsense Technologies New! AppSense Optimizer is a new product from AppSense=20 designed to increase the user capacity of your servers.=20 http://www.appsense.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - Appsense Technologies New! AppSense Optimizer is a new product from AppSense designed to increase the user capacity of your servers. http://www.appsense.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - Appsense Technologies New! AppSense Optimizer is a new product from AppSense designed to increase the user capacity of your servers. http://www.appsense.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm