[THIN] Re: STA port number change?

• From: Carlos Sanabria <csanabria@xxxxxxx>
• To: thin@xxxxxxxxxxxxx
• Date: Sat, 12 Apr 2003 09:16:55 -0500

Alexander,

I differ from your opinion of installing the STA on the DMZ. The whole
idea of Citrix Secure Gateway (assuming we're not dealing here with
Relay Mode) is to have a ticket generator in the Trusted network so that
it cannot be hacked or tampered with. For extra security configure your
firewall so that only the Nfuse box and the CSG box (which, could be the
same in case you're tight on hardware) can access the STA from the DMZ.
And yes, you could also secure the XML service using Citrix SSL Relay,
and the STA using IIS SSL.

Just my .02

Carlos Sanabria, CCA, MCSA
IT Consultant

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Alexander Danilychev
Sent: Friday, April 11, 2003 12:04 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: STA port number change?



Your steps are absolutely correct.
If you keep STA behind DMZ -- use SSL, i.e. port 443 to please your
firewall=20
folks.

Some people from this group suggested using the same IIS that is used in

conjunction with XML service, i.e. drop STA on MetaFrame.

I personal like my STAs "rock solid", so scenario with MetaFrame
deployment=20
of STA does not fit the bill (for single MetaFrame box it is probably
OK).

I always deploy STA within DMZ paying attention to secure STA from
outside=20
access. Again SSL is not important -- only denial of service attacks if
STA=20
is downed or busy.
If you like to save some money =96 drop STA on a multi-homed NFuse box =
(it

will support independent load balancing for STAs and NFuse). DO NOT
deploy=20
STA on CSG box!

I will pay more attention to XML service and MAKE SURE that it is not on

default port 80, but protected with SSL (free home-grown certificates
are=20
OK)!

ALEX


>From: "Raffensberger, Stephen D (Stephen) %" <raff@xxxxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: <thin@xxxxxxxxxxxxx>
>Subject: [THIN] STA port number change?
>Date: Fri, 11 Apr 2003 09:53:05 -0400
>
>
>I'm building a standard Nfuse 1.7/CSG/STA configuration according to=20
>the =3D Citrix docs. My firewall folks are concerned about port 80=20
>traffic initiated in the =3D DMZ (Nfuse &
>CSG) and destined for the STA in the intranet. They want me to change
it =3D
>to another
>port for improved security.
>
>I imagine it's pretty simple to do.
>
>1. On the STA server, change the port to 999 in IIS.
>2. On the Nfuse server, change the NFuse_CSG_STA_URL to
>    http://X.X.X.X:999/Scripts/CtxSta.dll
>3. On the CSG server, change Port to 999 in
>    HKLM\CCS\Services\CtsSecGwy\TicketAuthorities\STA01
>
>Has anyone actually done this? Is it as big a security problem as my =
=3D=20
>guys perceive? It seems like Citrix doesn't think so. It's not in any=20
>of the =3D installation or config
>settings. Also it looks like it's incompatible with SSL which means
that =3D
>I can't
>really secure it at all.
>
>Steve Raffensberger
>Computer Aid serving Agere Systems
>Mailto: raff@xxxxxxxxx
>(610) 712-6819
>
>********************************************************
>This Week's Sponsor - ThinPrint
>Simply the best print solution for
>Microsoft Terminal Services
>and Citrix Metaframe.
>http://www.thinprint.com/
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:=20
>http://thethin.net/citrixlist.cfm


_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* =20
http://join.msn.com/?page=3Dfeatures/virus

********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services=20
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
=20

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
=20

********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services 
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

• References:
  • [THIN] Re: STA port number change?
    • From: Alexander Danilychev

Other related posts:

• » [THIN] STA port number change?
• » [THIN] Re: STA port number change?
• » [THIN] Re: STA port number change?
• » [THIN] Re: STA port number change?
• » [THIN] Re: STA port number change?
• » [THIN] Re: STA port number change?
• » [THIN] Re: STA port number change?
• » [THIN] Re: STA port number change?

1. Home
2. thin
3. Archive
4. 04-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---