I think the link is wrapped Angela - Try this: http://tinyurl.com/2mfl74 And if that doesn't work, search in google for SecuringMonitoringNetworkTrafficwithinCAS_Final_v2 From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Angela Smith Sent: 25 February 2008 11:48 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Web Interface - login process Hi Andrew Thanks for the reply. The link to the ppt file doesn't seem to work. Do you have another link to it? Thanks Angela > From: andrew.wood@xxxxxxxxxxxxxxxx > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: Web Interface - login process > Date: Mon, 25 Feb 2008 11:21:30 +0000 > > You don't need to open up ports from the WI server to AD to perform > authentication. The WI server doesn't do user authentication - there's a > slidedeck here - > www.citrixevents.com/.../dynamic/presentations/3105%20SecuringMonitoringNetw > orkTrafficwithinCAS_Final_v2.ppt that gives a graphical view of the > authentication process. > > User credentials are passed from the WI server to the IMA Service running on > your Citrix servers via the XML Broker in order for the IMA service to > authenticate the user and get their list of available applications. When the > user wants to launch a published app, the user's ica file is populated with > their ticket information (obtained from an STA) which allows them to log on. > > > So, technically - you *could* just use 80 and 1494, although if you want to > use session reliability you'll need to add in 2598. > > Obviously, that's not very secure. > > Ideally you've enabled https for the page submitting the user's credentials > (otherwise your network passwords are wandering over the internet in plain > sight), and you're at least encrypting the XML service from the WI to the > Citrix servers by using https. > > Raw and out of the box, once the user launches an app they are communicating > with the Citrix server on 1494 (by default); its 1494 from the client to the > citrix server(s) for all the citrix clients, including java. 1494 might not > be open at the client end, and isn't encrypted either: a straightforward way > to secure that communication would be to have CSG to secure ICA > communication to the user by encapsulating it in an SSL tunnel. > > There is a useful tcp port check document on doug brown's site - > http://www.dabcc.com/article.aspx?id=1755 > > Hth. > > > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf > Of Angela Smith > Sent: 25 February 2008 09:18 > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Web Interface - login process > > > Hi > > Ive been tasked to document the Web Interface communication in our > environment and the ports that need to be opened between our DMZ and > internal network. Im looking at installing a Web Interface in our DMZ which > will access our Citrix Farm on the internal network. I need the Web > Interface to authenticate against Active Directory. This is what Ive got so > far and I was hoping someone could crosscheck or point me in the right > direction. > > 1) Client - Web Interface - Port 80 > 2) Web Interface - Active Directory (AD on internal network) - not sure what > AD ports need to be opened > 3) Active Directory - Web Interface > 4) Web Interface - Zone Data Collector - Port 80 > 5) Zone Data Collector - Web Interface - Port 80 > 6) Web Interface - Client - Port 80 > > User launches Published App > 7) Client - Web Interface - Port 80 > 8) Web Interface - Client - Port 80 > 8) Client - Citrix Presentation Server - Port 1494 > > > A few questions: > > 1) Is the above correct? > 2) When a user launches a Published App, is the client talking 1494 direct > to the Citrix Presentation Server? Is the communication going through the > Web Interface or is it direct from client to the Citrix Server? Therefore > does 1494 need to be open to the client or is it 1494 from Web Interface to > Citrix server only? > 3) If the client is using JAVA does this still talk 1494 direct to the > Citrix Farm or is it a different port? > > Im trying to document the above login process and would appreciate any > assistance or direction. > > Thanks > Angela > _________________________________________________________________ > Overpaid or Underpaid? Check our comprehensive Salary Centre > http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fcontent%2Emycareer%2Ecom%2Ea > u%2Fsalary%2Dcentre%3Fs%5Fcid%3D595810&_t=766724125&_r=Hotmail_Email_Tagline > _MyCareer_Oct07&_m=EXT************************************************ > For Archives, RSS, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > //www.freelists.org/list/thin > ************************************************ > > ************************************************ > For Archives, RSS, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > //www.freelists.org/list/thin > ************************************************ _____ Find it at www.seek.com.au Your Future Starts Here. Dream it? Then be it! <http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2 F%3Ftracking%3Dsk%3Ahet%3Ask%3Anine%3A0%3Ahot%3Atext&_t=764565661&_r=OCT07_e ndtext_Future&_m=EXT>