[THIN] RE: [THIN] Re: Giving expernal parties access to your Citrix published applications
- From: Evan Mann <emann@xxxxxxxxxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Wed, 6 Sep 2006 10:20:18 -0400
I'd opt for CAG/WI, but not use AAC. This keeps things simple. Just as
simple as doing CSG/WI (IMO).
Cost wise, If you need to buy a new box to throw in the DMZ to run CSG,
then that cost can go towards CAG. You can also put the costs to secure
and maintain the DMZ box towards CAG, since I've found there to be zero
cost to maintain CAG (aside from the occasional software updates) after
it was implemented.
You're also buying into a product that will get new features, and gives
you extra functionality, should you think there is even the smallest
possibility of doing what it offers in the future.
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeff Pitsch
Sent: Wednesday, September 06, 2006 9:19 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Giving expernal parties access to your Citrix
published applications
1) Many companies use Windows in the DMZ and it can be locked down
effectively. This is old thinking that isn't true anymore if you know
what your doing.
2) Citrix is not dropping CSG, they are simply not adding any new
features. They have said they will continue to ship it as is and update
it for future OS's. If all your looking for is ICA tunneling, this is
still the product. As well if they were actually going to get rid of
CSG it would be minimally in the Longhorn timeframe which is minimally
1.5 - 2 years away.
3) WI/CSG works just fine. VPN doesn't sound like what they want to
offer so it doesn't fall into this equation.
4) This works when it's your people but not external vendors and
partners. The amount of communication and consideration that would go
into this is staggering. Every time they change something they have to
tell you. considering that the changes made on their end would be from
the PC group, this is unlikely to happen and would cause an inordinate
amount of problems for both parties. As well, since they are segmenting
the external users as well as they will have contorl of whether drive
mappings, etc are in effect, it's not something i would worry about.
5) Again, we are talking about the PS environment and a segmented PS
environment at that. They are trying to keep the external users away
from their main network not give them varying levels of access to it.
In the end, IMHO, the added license cost and complexity of the CAG/AAC
solution is simply not justified or needed at this point in time.
Jeff Pitsch
Microsoft MVP - Terminal Server
Provision Networks VIP
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com <http://jeffpitschconsulting.com/>
On 9/5/06, Steve Greenberg <steveg@xxxxxxxxxxxxxx> wrote:
I see your point but I still prefer to use CAG/AAC for these
situations with the following benefits:
1) CAG is a dedicated LINUX box, CSG is Windows! Who would
want IIS in the DMZ?
2) Forward going support, Citrix is dropping CSG soon
3) Ability to offer VPN, WI or portal style content with
the same solution
4) Ability to do endpoint security checking, I certainly
would want to enforce virus/worm protection on any machine gaining
access to my environment
5) Ability to present content with various levels of
access depending the type of device, type of user, whether they using a
known devices, virus protection, etc. i.e. if the end user is coming
from the subnet of the B to B partner then they can read/write a certain
document, if they are coming from somewhere else it is read-only, and
countless other if/then possibilities.....
Can you tell I like CAG/ACC? :-)
Steve Greenberg
Thin Client Computing
34522 N. Scottsdale Rd D8453
Scottsdale, AZ 85262
(602) 432-8649
www.thinclient.net <http://www.thinclient.net/>
steveg@xxxxxxxxxxxxxx
________________________________
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jeff Pitsch
Sent: Tuesday, September 05, 2006 3:37 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Giving expernal parties access to your
Citrix published applications
Put the external users in their own domain. I believe the
external connector would work for you although I'm not 100% on how that
is licensed in regards to partners and vendors. The external connector
would cover you from a CAL perspective. I also think a segmented fam
would be the best way to handle it. I would also use CSG/WI (separate
installation because of domain and branding (if you wanted different
branding for external users)). The PS license server could easily be
shared if needed. this is exactly the scenario that it was designed
for.
I have to respectfully disagree with use CAG/AAC. It wouldn't
get you any real advantage over simply using WI/CSG. The granularity
that AAC is for is controlling the level of trust to your internal
network in regards to shares, websites, etc. It sounds more like you
want to simply deliver applications and not ahve those users mix with
your employees.
Jeff Pitsch
Microsoft MVP - Terminal Server
Provision Networks VIP
Forums not enough?
Get support from the experts at your business
http://jeffpitschconsulting.com
<http://jeffpitschconsulting.com/>
On 9/5/06, Michael Pardee < pardeemp.list@xxxxxxxxx
<mailto:pardeemp.list@xxxxxxxxx> > wrote:
We have a MFXP Farm of approximately 4500 concurrent users all
on Windows2003 SP1 servers. We have always brought Vendors in to a
secure area via VPN to very specific servers. We now have a need to
bring in close to 500 concurrent users from a Vendor/Partner and I'm
curious how others are doing this.
As with everything, the easiest way is the least secure, so just
giving them accounts in our AD and letting them hit our internal Farm
via WI is probably not the best way to go. I'm thinking we may actually
want to bring up an external facing PS4 Farm for the Vendors/Partners.
When we do that we need new ZDCs, license servers, etc. I guess we'd
need an external Microsoft license server and a bunch of TSCals. Maybe
even a different WI server to ensure seperation from the regular
employee access portal.
Just curious how others allow external parties access to your
applications.
Thanks in advance.
--
Michael Pardee
www.blindsquirrel.org <http://www.blindsquirrel.org/>
Other related posts:
- » [THIN] RE: [THIN] Re: Giving expernal parties access to your Citrix published applications
