[THIN] Re: Web Interface - login process

Hi Rick

Thank you so much for your explanations.  You have assisted greatly and I learn 
so much from your posts.  Once day Im hoping to give back to this list once I 
learn a bit more..

Thanks again
Angela



Date: Tue, 26 Feb 2008 21:34:09 +1000
From: ulrich.mack@xxxxxxxxx
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Web Interface - login process

Hi Angela,
 
Admitted, it takes a while to sink in and makes sense ;-)
 
The Zone Data collector (ZDC) "talks" to other Citrix servers using the IMA 
protocol on TCP ports 2512. Port 2512 is used for solely for communication 
between servers in the farm and port 2513 for CMC/PSC (management console) to 
Citrix server. Then there's server to license server on TCP port 27000 and 
server to datastore, which varies depending on the database (access [tcp 2512], 
local msde/sql express 2005 [tcp 2512], SQL [varies], Oracle [varies]).

 
The ZDC doesn't actually "talk" to WI from the viewpoint that WI does the 
talking and initializes the comms link, the ZDC only answers.
 
If you have an external VPN appliance like your Cisco, it'll handle the SSL 
side of things and the client connection to WI will still be to port 80, since 
the client connection will be tunneling through the VPN connection.

 
If the only access to WI is via VPN, then there isn't a lot of value in using 
SSL encryption with WI and between WI in the DMZ and the internal components. 
Setting up the ceriticates and SSL encryption etc is not for the faint. hearted.

 
regards,
 
Rick
 

Ulrich Mack
www.commander.com (until the end of this week)
 
On 2/26/08, Angela Smith <angela_smith9@xxxxxxxxxxx> wrote:

Hi Rick

I actually did read the SDK documentation but unfortunately it went over my 
head.  Im getting a better understanding of whats going on under the hood with 
everyones explanations.

My Zone  Data Collector is also the XML Broker.  I have 1 question outstanding:


1) The Zone Data Collector communicates with other Citrix Servers, Web 
Interface and also the client (as per my flowchart diagram).  What port does it 
use for all this?  Is it Port 80?  If the WI had SSL would all the 
communication be 443?


Thanks in advance
Angela




Date: Tue, 26 Feb 2008 20:13:51 +1000
From: ulrich.mack@xxxxxxxxx
To: thin@xxxxxxxxxxxxx

Subject: [THIN] Re: Web Interface - login process



Hi Angela,
 
I'd again recommend you read the WI SDK documentation, in particular concerning 
the Authentication Sequence. This will give you a much better understanding of 
how WI handles authentication. 
 
In a nutshell, WI extracts the login credentials from the login page, and uses 
the WebPN method checkAcessToken to contact the XML service on what you've 
termed the XML broker to verify if the credentials are valid. As far as AD 
authentication goes, that happens from the Citrix server being used as the XML 
"broker". 

 
The XML "broker" can be any one of the Citrix servers that you have added to 
the Farm list in the WI configuration. WI will use the first server on the 
list, which is optimally your zone data collector. There is nothing special 
about the XML broker, it is simply whichever Citrix server that happpens to be 
used by WI at that time.

 
Unless you're going to put your Citrix servers into the DMZ as well, the ports 
used for authentication really don't matter all that much. Nevertheless, just 
out of interest, the ports that could be used for authentication alone in a 
2003 native AD are:


TCP/UDP 88 : Kerberos V 
TCP/UDP 53 : DNS - find DC 
TCP/UDP 389 : LDAP 
This is ignoring the ports for RPC endpoint (TCP 135),  netbios/SMB (TCP 
139/445), and the fact you might be using RSA or Safeword token authentication 
which will require additional ports opened for WI to talk either to the ACE 
server or AD.

 
regards,
 
Rick
 
Ulrich Mack
www.commander.com (until the end of this week)
 
On 2/26/08, Angela Smith <angela_smith9@xxxxxxxxxxx> wrote:

Hi

Im still trying to work out what ports get used during Citrix logon.
Ive attached a PowerPoint slide that shows the main

communication flow.  I have a few questions I was hoping you could assist with:


1) How do I determine what server is the XML Broker?

2) What ports does the XML Broker use to talk to:
       - Active Directory

       - Licensing Server (27000 Im assuming)
       - Data Collector
       - Least Loaded Server
       - Client

Our Web Interface does not have a certificate so all communication internally 
is on Port 80.  Does Port 80 get used for all communication from the XML 
Broker?  Can anyone let me know what ports are used in question 2


Thanks
Angela





Sell your car for just $30 at CarPoint.com.au. It's simple!


-- 
Ulrich Mack
www.commander.com 

_________________________________________________________________
It's simple! Sell your car for just $30 at CarPoint.com.au
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F859641&_t=762955845&_r=tig_OCT07&_m=EXT

Other related posts: