[THIN] Re: Giving expernal parties access to your Citrix published applications

  • From: "Jeff Pitsch" <jepitsch@xxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Wed, 6 Sep 2006 09:18:57 -0400

1)  Many companies use Windows in the DMZ and it can be locked down
effectively.  This is old thinking that isn't true anymore if you know what
your doing.

2)  Citrix is not dropping CSG, they are simply not adding any new
features.  They have said they will continue to ship it as is and update it
for future OS's.  If all your looking for is ICA tunneling, this is still
the product.  As well if they were actually going to get rid of CSG it would
be minimally in the Longhorn timeframe which is minimally 1.5 - 2 years
away.

3)  WI/CSG works just fine.  VPN doesn't sound like what they want to offer
so it doesn't fall into this equation.

4)  This works when it's your people but not external vendors and partners.
The amount of communication and consideration that would go into this is
staggering.  Every time they change something they have to tell you.
considering that the changes made on their end would be from the PC group,
this is unlikely to happen and would cause an inordinate amount of problems
for both parties.  As well, since they are segmenting the external users as
well as they will have contorl of whether drive mappings, etc are in effect,
it's not something i would worry about.

5)  Again, we are talking about the PS environment and a segmented PS
environment at that.  They are trying to keep the external users away from
their main network not give them varying levels of access to it.

In the end, IMHO, the added license cost and complexity of the CAG/AAC
solution is simply not justified or needed at this point in time.


Jeff Pitsch
Microsoft MVP - Terminal Server
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com


On 9/5/06, Steve Greenberg <steveg@xxxxxxxxxxxxxx> wrote: 

  I see your point but I still prefer to use CAG/AAC for these situations
with the following benefits:



1)       CAG is a dedicated LINUX box, CSG is Windows! Who would want IIS
in the DMZ?

2)       Forward going support, Citrix is dropping CSG soon

3)       Ability to offer VPN, WI or portal style content with the same
solution

4)       Ability to do endpoint security checking, I certainly would want
to enforce virus/worm protection on any machine gaining access to my
environment

5)       Ability to present content with various levels of access
depending the type of device, type of user, whether they using a known
devices, virus protection, etc.  i.e. if the end user is coming from the
subnet of the B to B partner then they can read/write a certain document, if
they are coming from somewhere else it is read-only, and countless other
if/then possibilities…..





Can you tell I like CAG/ACC? J



Steve Greenberg

Thin Client Computing

34522 N. Scottsdale Rd D8453

Scottsdale, AZ 85262

(602) 432-8649

www.thinclient.net

steveg@xxxxxxxxxxxxxx


  ------------------------------

*From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
Behalf Of *Jeff Pitsch
*Sent:* Tuesday, September 05, 2006 3:37 PM
*To:* thin@xxxxxxxxxxxxx
*Subject:* [THIN] Re: Giving expernal parties access to your Citrix
published applications



Put the external users in their own domain.  I believe the external
connector would work for you although I'm not 100% on how that is licensed
in regards to partners and vendors.  The external connector would cover you
from a CAL perspective.  I also think a segmented fam would be the best way
to handle it.  I would also use CSG/WI (separate installation because of
domain and branding (if you wanted different branding for external users)).
The PS license server could easily be shared if needed.  this is exactly the
scenario that it was designed for.


I have to respectfully disagree with use CAG/AAC.  It wouldn't get you any
real advantage over simply using WI/CSG.  The granularity that AAC is for is
controlling the level of trust to your internal network in regards to
shares, websites, etc.  It sounds more like you want to simply deliver
applications and not ahve those users mix with your employees.



Jeff Pitsch
Microsoft MVP - Terminal Server
Provision Networks VIP

Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com





On 9/5/06, *Michael Pardee* <pardeemp.list@xxxxxxxxx> wrote:

We have a MFXP Farm of approximately 4500 concurrent users all on
Windows2003 SP1 servers.  We have always brought Vendors in to a secure area
via VPN to very specific servers.  We now have a need to bring in close to
500 concurrent users from a Vendor/Partner and I'm curious how others are
doing this.

As with everything, the easiest way is the least secure, so just giving
them accounts in our AD and letting them hit our internal Farm via WI is
probably not the best way to go.  I'm thinking we may actually want to bring
up an external facing PS4 Farm for the Vendors/Partners.  When we do that we
need new ZDCs, license servers, etc.  I guess we'd need an external
Microsoft license server and a bunch of TSCals.  Maybe even a different WI
server to ensure seperation from the regular employee access portal.

Just curious how others allow external parties access to your
applications.

Thanks in advance.


--

Michael Pardee
www.blindsquirrel.org



Other related posts:

  1. Home
  2. thin
  3. Archive
  4. 09-2006