I wouldn't do this without a DMZ and CSG. You can get a firewall with a DMZ for pretty cheap and you can throw CSG on the same box as WI. I can't remember the exact altaddr stuff since I never use it, but that sounds right. On your Pix config, don't set an outbound access list unless you actually care about what goes out. It'll save you some config. Just leave it something like: access-list INSIDE_ACCESS_OUTBOUND line 1 permit ip any any I would recommend leaving 1494 open in case you run in to some older clients, but if you're going to skip the DMZ then I'd close as many as possible. Roger Riggins Network Administrator Lutheran Services in Iowa w: 319.859.3543 c: 319.290.5687 http://www.lsiowa.org -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Mike Semon Sent: Tuesday, February 06, 2007 6:49 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Citrix and Cisco Pix configuration Trying to remember the correct Pix configuration. Have a client with a small Citrix installation (2 Citrix PS 4.0 boxes And 1 Web Interface Server) No DMZ. I have my public IP address with NAT setup to the private address of my Web Interface Server. Can I just setup NAT for two more Public IP addresses for my Citrix boxes and add these IP addresses with Altaddr so that each corresponds to a different Public IP address? I am opening 80 and 1494 inbound and the upper Ports 1023 and above outbound. If I am using session reliability can I just replace 1494 with 2598? Mike SBC SITES ONLY GOOGLE SEARCH: http://www.F1U.com ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ <b>Lutheran Services in Iowa Confidentiality Notice:</b><br> <red>The information contained in this communication may be confidential, is intended only for the use of the recipient(s) named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender.</red> SBC SITES ONLY GOOGLE SEARCH: http://www.F1U.com ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************