You are missing my point -- redirection of HTTP traffic through the same box
(even to another WI box as you point out) that maintains CSG traffic
introduces higher vulnerability regarding denial of service attacks.
Check CSG performance counters -- you will probably notice HTTPS connections
that have nothing to do with your intent to provide MetaFrame access across
the Internet. If you use multiple CSG boxes (some possibly in a dedicated
proxy mode) this is not a big issue.
A agree that new CSG presents a slick compact package perfect for small
shops. For larger deployments with QoS requirements I would avoid this
feature unless CSG is load balanced or used in a proxy mode.
Another point regarding STAs:
I never liked internal dedicated STA deployment. A cost-effective robust
solution (can be limited by Company policy though) is to use available
hardware and create multiple CSG+WI/STA boxes that will be load balanced.
WI/STA combination is perfect on a multi-homed box with DMZ-local IP address
for STA. And as long as CSG and WI/STA are standalone (not part of the
domain, etc.) and have no common accounts, it would be very hard to
compromise your MetaFrame access.
ALEX
From: "Joe Shonk" <joe@xxxxxxxxxxxxxxxxxxx> Reply-To: thin@xxxxxxxxxxxxx To: <thin@xxxxxxxxxxxxx> Subject: [THIN] Re: Web Interface 2.0 Date: Thu, 5 Aug 2004 06:26:23 -0700
Hmm.. I'm still not liking the idea of the STA service in the DMZ. There bound to an IIS server or two in the internal network and it's not like the STA service is going to chew up gobs of resources.
Still, even if WI/SG are on separate boxes, only 1 SSL cert is required if your using SG 2.x or better. Remember, SG proxies WI requests now.
Joe
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Alexander Danilychev
Sent: Thursday, August 05, 2004 1:08 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Web Interface 2.0
I will not follow suggestion to run STA on one selected MetaFrame server - server goes down and your CSG connectivity is in jeopardy (unless you have one server and CSG is not primary concern when MetaFrame box goes down).
True, you can drop STAs on every single MetaFrame box, however it may impact
your farm maintenance due to additional app to worry about, i.e. you will be
required to maintain (and yes, patch few times a month) IIS on every STA
box. If IIS patches are painful, I would also substitute IIS for XML service
with Citrix native listener.
With new CSG version it is not tricky anymore to run STA, CSG and WI on one box. Just make sure STA is not exposed to outsiders (multi-homing will help). At low budget you can also deploy MetaFrame on the same box assuming user count is low (5-10 or even more, depending on user requirements).
I recommend focusing on CSG stability and suggest dedicated box if you plan on 50+ users. Although Citrix reports CSG's capability to support 1000+ concurrent connections (nice pipe required :), I will be concerned with denial of service attacks when your web requests go through CSG along with ICA traffic and thus expose CSG to issues not very relevant to a standalone install.
If two boxes for CSG/STA/WI are available I will group STA/WI together and
keep CSG separate. It would not be bad to keep STA on a separate IP not
accessible to outside users. This configuration will require minimum two SSL
certificates (versus minimum one on a single box), but certificates are not that expensive ($50-100). If you cannot afford buying "real" servers, low-end PCs will do without any problem for 100+ users (might be not an option with your Company policy).
Again, the point here is to keep continuous data flow through CSG, while HTTP connections to STA or WI(NFuse) are not sensitive to timeouts and thus should be kept separate from CSG if possible.
PS. Load balancing should also be explored if relevant
ALEX
>From: "Matthew Shrewsbury" <MShrewsbury@xxxxxxxxxxxxxxx> >Reply-To: thin@xxxxxxxxxxxxx >To: <thin@xxxxxxxxxxxxx> >Subject: [THIN] Re: Web Interface 2.0 >Date: Wed, 4 Aug 2004 11:22:56 -0400 > >We have a good firewall and the Web server will be located in the DMZ >behind that. I need to run on this server Citrix Web Interface, Citrix >Secure Gateway, and Secure Ticket Authority. Do you think I can run all >3 on the same server? From reading the link it seems to be possible. > > > >Thanks for all your help:-) > >Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA > >Network Administrator > > > >-----Original Message----- >From: Cornfield, Scott [mailto:Scott.Cornfield@xxxxxxxxx] >Sent: Wednesday, August 04, 2004 11:08 AM >To: thin@xxxxxxxxxxxxx >Subject: [THIN] Re: Web Interface 2.0 > > > >If you only have one server then it should be the CSG. It should be >stand alone in a DMZ and securely locked down within an inch of its life >:-) When I say DMZ even a good Access Control Lists on your routers >would be fine, although I know nothing about Comms! > > > >The STA component could be on one of the Farm servers. > > > >Check this out, > >http://support.citrix.com/kb/entry!default.jspa?categoryID=185&entryID=2 >843&fromSearchPage=true > > > >Cheers > >Scott > > > > > > _____ > >From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On >Behalf Of Matthew Shrewsbury >Sent: 04 August 2004 15:55 >To: thin@xxxxxxxxxxxxx >Subject: [THIN] Re: Web Interface 2.0 > > > >Thank you for your input!!! > > > >I like the idea of using CSG because I don't have to open up port 1494 >to the outside world. > > > >1) Our system is low budget and I just can't afford another server to >run STA on. Do you think I could run it on the Web Interface/CSG server >or on my Metaframe datastore server? > > > >2) If I can't do option 1 then I think I should just run Web Interface >and skip the CSG/STA option. If I do this how can I force "128Bit Only" >for external users? > > > >Thanks again for all your help....I am reading the latest Administrator >guides now. > > > >Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA > >Network Administrator > > > >-----Original Message----- >From: Cornfield, Scott [mailto:Scott.Cornfield@xxxxxxxxx] >Sent: Wednesday, August 04, 2004 10:08 AM >To: thin@xxxxxxxxxxxxx >Subject: [THIN] Re: Web Interface 2.0 > > > >You can have your Secure Gateway and Nfuse / Web Interface on the one >server. Install your SSL cert on this server and put it in your DMZ, >only allow access to port 443 on the CSG. > > > >The only issue here is that you have an additional server which acts as >a Secure Ticket Authority to support the CSG - the STA should sit >outside the DMZ beside the farm. You have the option of letting the CSG >talk to the STA on port 80, or you can install a SSL cert on the STA as >well. > > > >You can publish you application with standard security settings, as the >CSG will encrypt all the traffic using 128 bit SSL. The users never need >to connect directly to the farm servers. > > > >Cheers, > >Scott > > > > > > > > _____ > >From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On >Behalf Of Matthew Shrewsbury >Sent: 04 August 2004 14:29 >To: thin@xxxxxxxxxxxxx >Subject: [THIN] Web Interface 2.0 > > > >I am slightly out of touch with Citrix XP Web Interface (I have used >NFuse not Web Interface). My goal is to have a company portal all users >can hit both internal and external to access Citrix applications. > > > >Solution: > >1) Single web server running Windows 2003, IIS6 and Citrix Web >Interface. > >2) Purchase SSL cert to secure all web traffic to and from Citrix Web >Interface. > >3) Open 1494 ports into to each Citrix server from the internet. > >4) Configure Web Interface for "128Bit only" for ICA traffic > > > >Questions: > >1) Do I need secure gateway? What is secure gateway all about? > >2) Can I configure Citrix Web Interface to force "128bit only" for >external users and only use "128bit logon only" for internal users? I >don't want to publish applications twice. > > > >I was planning to read up on this but now I have been told this needs to >be done right now...(my manager never sticks to the schedule). > > > >Thanks for any help!!! > >Matthew Shrewsbury, MCSE+Internet MCSE 2000 CCA > >Network Administrator > >Coscan Homes LLC > >C 5555 Anglers Avenue, Suite 1A > > Ft. Lauderdale, Florida 33312 > >* Direct 954.620.1052 > >* mshrewsbury@xxxxxxxxxxxxxxx > > > > > >. > > > >----------------------------------------------------------------------- >Information in this email may be privileged, confidential and is >intended exclusively for the addressee. The views expressed may >not be official policy, but the personal views of the originator. >If you have received it in error, please notify the sender by return >e-mail and delete it from your system. You should not reproduce, >distribute, store, retransmit, use or disclose its contents to anyone. > >Please note we reserve the right to monitor all e-mail >communication through our internal and external networks. >----------------------------------------------------------------------- > > > >. >
******************************************************** This Weeks Sponsor RTO Software Do you know which applications are abusing your CPU and memory? Would you like to learn? -- Free for a limited time! Get the RTO Performance Analyzer to quickly learn the applications, users, and time of day possible problems exist. http://www.rtosoft.com/enter.asp?id=320 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm
******************************************************** This Weeks Sponsor RTO Software Do you know which applications are abusing your CPU and memory? Would you like to learn? -- Free for a limited time! Get the RTO Performance Analyzer to quickly learn the applications, users, and time of day possible problems exist. http://www.rtosoft.com/enter.asp?id=320 ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm
