[THIN] Re: Citrix on DMZ
- From: "Malcolm Bruton" <malcolm.bruton@xxxxxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 25 Apr 2007 17:04:58 -0400
Thanks Steve. In most cases (I would guess) some sort of communication
would have to happen to backends inside firewalls anyway depending on
the apps given to users. I don't see a huge risk in allowing a citrix
server or two to talk to internal farm....After all it's only a few
more ports open. Of course the fewer open the better. And of course if
it was many servers in the DMZ then yes isolate. Now to work on that
hardened Citrix build....
Malcolm
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Greenberg
Sent: 25 April 2007 21:52
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Citrix on DMZ
In these cases I am referring to the security policy dictated that there
be no communication between the DMZ and the private network. Since there
was to be no communication, that host could not effectively be part of
an internal farm. Also, for the most part, these were single server
implementations for specific B to B purposes so having a separate farm
really just means a little more management work to handle and not much
more cost.
There are many other possible scenarios where some inside communications
are allowed and this would allow the DMZ servers to be part of an
internal farm but still limit end user sessions and connectivity to
within the DMZ....
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Malcolm Bruton
Sent: Wednesday, April 25, 2007 11:46 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Citrix on DMZ
Steve
Why do you use a different farm? Do you see it offers significant
security features by doing this. If so ,What exactly? If it's a small
farm it's quite costly to build the redundancy.
Malcolm
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Turman, David C.
Sent: 25 April 2007 18:41
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Citrix on DMZ
We have external customers (non-employees) that run a Term Server
app (Powerbuilder 6.5).
The TermServer app talks thru the firewall to an internal SQL server
database.
We just create user ID's in the external DMZ domain for them to use.
What else would you suggest?
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Greenberg
Sent: Wednesday, April 25, 2007 11:58 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Citrix on DMZ
We have done it a number of times for secure government business to
business applications. This is where the app and data is on the
Presentation Server and the security policy disallows internal access.
In these cases the server is usually a standalone farm and if I knew
what was running on it they would have to kill me J
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Joe Shonk
Sent: Wednesday, April 25, 2007 6:03 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Citrix on DMZ
Question. Why would want to put a Presentation server in the DMZ? I
know there are some valid reasons, so make sure to take the litmus test
first.
It's 2512, 80 (or whatever the XML port is), 1494, 2598, 27000, the TS
Licensing Port.
Joe
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Turman, David C.
Sent: Tuesday, April 24, 2007 12:51 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Citrix on DMZ
If I were to put a Presentation Server 4.0 box on a DMZ, what
ports would I need to open on the firewall to have it talk to
and be a member of a Presentation Server 4.0 Citrix Farm
on the insdie of the firewall? I'm assuming at least 1433.
Any others or problems with doing this?
- Follow-Ups:
- [THIN] Re: Citrix on DMZ
- From: Steve Greenberg
- References:
- [THIN] Citrix on DMZ
- From: Turman, David C.
- [THIN] Re: Citrix on DMZ
- From: Joe Shonk
- [THIN] Re: Citrix on DMZ
- From: Steve Greenberg
- [THIN] Re: Citrix on DMZ
- From: Turman, David C.
- [THIN] Re: Citrix on DMZ
- From: Malcolm Bruton
- [THIN] Re: Citrix on DMZ
- From: Steve Greenberg
Other related posts:
- » [THIN] Citrix on DMZ
- » [THIN] Re: Citrix on DMZ
- » [THIN] Re: Citrix on DMZ
- » [THIN] Re: Citrix on DMZ
- » [THIN] Re: Citrix on DMZ
- » [THIN] Re: Citrix on DMZ
- » [THIN] Re: Citrix on DMZ
- » [THIN] Re: Citrix on DMZ
- » [THIN] Re: Citrix on DMZ
- » [THIN] Re: Citrix on DMZ
- [THIN] Re: Citrix on DMZ
- From: Steve Greenberg
- [THIN] Citrix on DMZ
- From: Turman, David C.
- [THIN] Re: Citrix on DMZ
- From: Joe Shonk
- [THIN] Re: Citrix on DMZ
- From: Steve Greenberg
- [THIN] Re: Citrix on DMZ
- From: Turman, David C.
- [THIN] Re: Citrix on DMZ
- From: Malcolm Bruton
- [THIN] Re: Citrix on DMZ
- From: Steve Greenberg