A router is a gateway. Just about every IP host has a Default gateway = to route traffic that destined for another subnet. Not all = routers/gateway can/do perform IP/Port/Application filtering. Most = gateways just route traffic, and that's precisely what CSG does. Thaw = with a Ticketing Authority and Encrypted traffic. If you want to control the Virtual Channels, you can setup custom ica = listeners on the Metaframe server to allow client drive mappings, but = not auto-created printers. This is just one way to accomplish this, = granted there are more. It would be very difficult to create malformed ICA Packet then hi-jack a = 128bit SSL session, after being authenticated. (Username/Password = through NFuse and STA) To answer your question if CSG should be complemented with another = security component. Yes, the use of a Firewall to protect the internal = network (DMZ too...NFUSE and CSG) is highly recommended. The NFuse web = server should be hardened and locked down. There are some good Third = Party tools that are great at doing this. Joe -----Original Message----- From: Diego [mailto:salsorro@xxxxxxxxxxx] Sent: Wednesday, January 29, 2003 1:59 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Citrix_Secure_Gateway_Datasheet.pdf Hi guys, in my opinion, CSG might not be called a secure gateway. My concept of gateway is something that complements the IP filtering of = the firewalls in the DMZ with filtering at application level and that = restricts the traffic applying rules that understand the commands that are in = higher layers than TCP (for instance, an smtp gateway might block an email with attachments, or allow only some subset of the smpt commands). Since CSG = is a tool that -after authentication and ticketing- allows all ICA traffic to pass the DMZ without restriction, it shouldn't be considered as a true secure gateway. It's not possible to restrict which ICA virtual channels = are being used, it doesn't block malformed ICA packets, etc It's just a tool to use 443 traffic and a single point of access from = the Internet. As far as security is concerned, CSG must be complemented with some other security components. What do you think? ----- Original Message ----- From: "Seitz, Linden" <L.Seitz@xxxxxxx> To: "Thin@Freelists. Org (E-mail)" <thin@xxxxxxxxxxxxx> Sent: Tuesday, January 28, 2003 8:34 PM Subject: [THIN] Citrix_Secure_Gateway_Datasheet.pdf > > In reviewing the Citrix_Secure_Gateway_Datasheet.pdf, it indicates = that CSG > provides a secure gateway to secure all ICA traffic at the DMZ, but = falls > short of being classified as a "full VPN". Anyone know in what areas = it > specifically falls short? > > > > > *************************************************************************= ** > This Week's Sponsor: New Wyse(R) Expedian(TM)software maximizes your server capacity--cost-effectively. Now you can dramatically increase the number of users on a server by as much as 40%--and reduce the number of servers you have to manage. By optimizing memory usage, Wyse Expedian software allows the terminal server to support more applications and = more concurrentusers. Download your 30-day free trial today at: > http://www.wyse.com/expedian/eval.cfm?promo=3DUS-Ad-0103TheThinNetNewslet= terEM > *************************************************************************= *** > > > For Archives, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > http://thethin.net/citrixlist.cfm > *************************************************************************= ** This Week's Sponsor: New Wyse(R) Expedian(TM)software maximizes your = server capacity--cost-effectively. Now you can dramatically increase the = number of users on a server by as much as 40%--and reduce the number of = servers you have to manage. By optimizing memory usage, Wyse Expedian = software allows the terminal server to support more applications and = more concurrentusers. Download your 30-day free trial today at: http://www.wyse.com/expedian/eval.cfm?promo=3DUS-Ad-0103TheThinNetNewslet= terEM *************************************************************************= *** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm *************************************************************************** This Week's Sponsor: New Wyse(R) Expedian(TM)software maximizes your server capacity--cost-effectively. Now you can dramatically increase the number of users on a server by as much as 40%--and reduce the number of servers you have to manage. By optimizing memory usage, Wyse Expedian software allows the terminal server to support more applications and more concurrentusers. Download your 30-day free trial today at: http://www.wyse.com/expedian/eval.cfm?promo=US-Ad-0103TheThinNetNewsletterEM **************************************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm