[THIN] Re: Web Interface 2.0
- From: "Matthew Shrewsbury" <MShrewsbury@xxxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 4 Aug 2004 15:42:24 -0400
Thanks again for your input. I have decided to go with just Web
Interface for the moment. I've got it up and running and I can see it
has been improved since I last used it (NFuse 1.5).
I like the option of using a single external IP address and a different
port number for each internal server. This would also make it a little
more secure if 1494 was ever compromised. I have changed the XML port to
another port for security and because this will be a normal web server
as well.
Again thanks for all the input you all are great!! I don't know what I
would have done if thethin.net forum had not been around for all these
years. Thanks!!!!!
Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA
Network Administrator
-----Original Message-----
From: Parker, Dennis [mailto:Dennis.Parker@xxxxxxxxxx]
Sent: Wednesday, August 04, 2004 3:16 PM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: Web Interface 2.0
In this configuration I would also recommend changing to a non-standard
port, so when 1494 is compromised, you won't have quite as much risk.
It does come with it's own set of issues of course, but nothing
insurmountable so far.
Dennis Parker, MCSE, CCA
Senior Systems Analyst
Fiserv EFT/CNS
4550 SW Macadam Ave, Ste 100
Portland, Or. 97239
Direct: 503-274-6785
Fax: 503-274-6619
This e-mail is confidential and may well be legally privileged. If you
have received it in error, you are on notice of its status. Please
notify us immediately by reply e-mail and then delete this message from
your system. Please do not copy it or use it for any purposes, or
disclose its contents to any other person. To do so could violate
state and Federal privacy laws.
Thank you for your cooperation. Please contact me if you need
assistance.
_____
From: Robert K Coffman Jr - Info From Data Corporation
[mailto:bcoffman@xxxxxxxxxxxxxxxx]
Sent: Wednesday, August 04, 2004 11:57 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Web Interface 2.0
I don't run WI but I do run NFuse Classic - the only thing the clients
need is for your servers to have 1494 open to the internet. NFuse
server needs to be able to reach the Citrix XML service (usually on port
80) though.
1494 hasn't been compromised yet.... I'm sure it will be some day.
- Bob Coffman
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Matthew Shrewsbury
Sent: Wednesday, August 04, 2004 12:04 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Web Interface 2.0
Again thanks so much for the tips!!! I am also reading the
documentation right now...
I am weighting up both options. Can someone give me insight on
the following?
1) If I run Web Interface only with SSL cert (Nfuse classic kind
of install, no CSG or STA) do I need to open more then port 1494 on each
Metaframe XP server? Something in my memory is telling me that I have to
open another port to connect to a published application (I might be
thinking of browser 1604).
I have only two Metaframe XP servers and I don't like the idea
of having to install IIS on one of them to run STA (I like to keep each
Metaframe with minum applications). Also with the complexity of CSG/STA
I am currently leaning towards just Web Interface because I really need
this to run today. However I do greatly like the the extra level of
security and avoiding opening 1494 to the public.
Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA
Network Administrator
-----Original Message-----
From: Cornfield, Scott [mailto:Scott.Cornfield@xxxxxxxxx]
Sent: Wednesday, August 04, 2004 11:49 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Web Interface 2.0
Mat,
Golden rule is never have your STA beside your CSG. Put it on a
farm server!
Scott
_____
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Gentry, Jim (Seta)
Sent: 04 August 2004 16:36
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Web Interface 2.0
The STA runs as a service. Run WI and CSG on same box in DMZ.
Pick a server behind your firewall and install the STA. They is no
performance impact on the existing server to run theSTA
-----Original Message-----
From: Matthew Shrewsbury [mailto:MShrewsbury@xxxxxxxxxxxxxxx]
Sent: Wednesday, August 04, 2004 11:23 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Web Interface 2.0
We have a good firewall and the Web server will be located in
the DMZ behind that. I need to run on this server Citrix Web Interface,
Citrix Secure Gateway, and Secure Ticket Authority. Do you think I can
run all 3 on the same server? From reading the link it seems to be
possible.
Thanks for all your help:-)
Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA
Network Administrator
-----Original Message-----
From: Cornfield, Scott [mailto:Scott.Cornfield@xxxxxxxxx]
Sent: Wednesday, August 04, 2004 11:08 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Web Interface 2.0
If you only have one server then it should be the CSG. It should
be stand alone in a DMZ and securely locked down within an inch of its
life :-) When I say DMZ even a good Access Control Lists on your routers
would be fine, although I know nothing about Comms!
The STA component could be on one of the Farm servers.
Check this out,
http://support.citrix.com/kb/entry!default.jspa?categoryID=185&entryID=2
843&fromSearchPage=true
Cheers
Scott
_____
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Matthew Shrewsbury
Sent: 04 August 2004 15:55
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Web Interface 2.0
Thank you for your input!!!
I like the idea of using CSG because I don't have to open up
port 1494 to the outside world.
1) Our system is low budget and I just can't afford another
server to run STA on. Do you think I could run it on the Web
Interface/CSG server or on my Metaframe datastore server?
2) If I can't do option 1 then I think I should just run Web
Interface and skip the CSG/STA option. If I do this how can I force
"128Bit Only" for external users?
Thanks again for all your help....I am reading the latest
Administrator guides now.
Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA
Network Administrator
-----Original Message-----
From: Cornfield, Scott [mailto:Scott.Cornfield@xxxxxxxxx]
Sent: Wednesday, August 04, 2004 10:08 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Web Interface 2.0
You can have your Secure Gateway and Nfuse / Web Interface on
the one server. Install your SSL cert on this server and put it in your
DMZ, only allow access to port 443 on the CSG.
The only issue here is that you have an additional server which
acts as a Secure Ticket Authority to support the CSG - the STA should
sit outside the DMZ beside the farm. You have the option of letting the
CSG talk to the STA on port 80, or you can install a SSL cert on the STA
as well.
You can publish you application with standard security settings,
as the CSG will encrypt all the traffic using 128 bit SSL. The users
never need to connect directly to the farm servers.
Cheers,
Scott
_____
From: thin-bounce@xxxxxxxxxxxxx
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Matthew Shrewsbury
Sent: 04 August 2004 14:29
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Web Interface 2.0
I am slightly out of touch with Citrix XP Web Interface (I have
used NFuse not Web Interface). My goal is to have a company portal all
users can hit both internal and external to access Citrix applications.
Solution:
1) Single web server running Windows 2003, IIS6 and Citrix Web
Interface.
2) Purchase SSL cert to secure all web traffic to and from
Citrix Web Interface.
3) Open 1494 ports into to each Citrix server from the internet.
4) Configure Web Interface for "128Bit only" for ICA traffic
Questions:
1) Do I need secure gateway? What is secure gateway all about?
2) Can I configure Citrix Web Interface to force "128bit only"
for external users and only use "128bit logon only" for internal users?
I don't want to publish applications twice.
I was planning to read up on this but now I have been told this
needs to be done right now...(my manager never sticks to the schedule).
Thanks for any help!!!
Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA
Network Administrator
Coscan Homes LLC
C 5555 Anglers Avenue, Suite 1A
Ft. Lauderdale, Florida 33312
* Direct 954.620.1052
* mshrewsbury@xxxxxxxxxxxxxxx
.
-----------------------------------------------------------------------
Information in this email may be privileged, confidential and is
intended exclusively for the addressee. The views expressed may
not be official policy, but the personal views of the
originator.
If you have received it in error, please notify the sender by
return
e-mail and delete it from your system. You should not reproduce,
distribute, store, retransmit, use or disclose its contents to
anyone.
Please note we reserve the right to monitor all e-mail
communication through our internal and external networks.
-----------------------------------------------------------------------
.
.
Other related posts:
