[THIN] Re: published apps through firewall.

  • From: "Jim Hathaway" <JimH@xxxxxxxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Fri, 27 Dec 2002 08:56:16 -0800

Paul,=20

As a caveat to what Joe said about CSG, I know that newer versions of
Nfuse get around the issue you've mentioned, so that you can publish
your apps to all servers still, but only set one server up with an
altaddr and allow users to connect to it securely. Used in conjunction
with CSG you only end up exposing your SSL, (and in the future TLS)
ports to the public. =20

There are some very well known published application hacks that you
should be aware of with your current setup however. Crafty hackers, can
get the ability to run the app of their choice on your servers, just
because you are allowing the XML and ICA ports directly to a terminal
server.=20

I've found the following document to give a pretty good overview of both
what hackers can do to gain access, and what you can do to secure your
Citrix servers better. It's not bullet proof, but there are some good
tips in here that you should keep in mind.=20

http://sh0dan.org/files/hackingcitrix.txt

J

-----Original Message-----
From: Joe Shonk [mailto:JShonk@xxxxxxxxxxxxxx]=20
Sent: Friday, December 27, 2002 7:06 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: published apps through firewall.


Yup...  All 8 servers would need an external address and altaddr =3D
setup...

If you need all 8 servers external,  I would suggest using CSG to =3D
minimize your exposure.

Joe

-----Original Message-----
From: Paul Beckman [mailto:pbeckman@xxxxxxxxxxxxxxxxxxxx]
Sent: Friday, December 27, 2002 8:00 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: published apps through firewall.



I can not run altaddr /query...  but when I run altaddr I get the =3D3D
default    xxx.xxx.xxx.xxx

I do have it working for now...  I have 8 servers total and had all =
=3D3D
eight server running the published app, so I unmapped 7 of them so that
=3D
=3D3D
the only server that was running the app would be the one that had the =
=3D
=3D3D
translated address.  so far so good. =3D3D20


Thanks to everyone that has helped...

-----Original Message-----
From: Magnus [mailto:magnus@xxxxxxxx]
Sent: Friday, December 27, 2002 8:49 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: published apps through firewall.



When you type in altaddr /query from a cmd line are you getting the
below

Default         209.20.130.33

Or are you getting=3D3D20

192.168.111.23          209.20.130.33


magnus



-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Paul Beckman
Sent: Friday, December 27, 2002 9:48 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: published apps through firewall.



yeup

-----Original Message-----
From: Magnus [mailto:magnus@xxxxxxxx]
Sent: Friday, December 27, 2002 8:41 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: published apps through firewall.



Did you set the altaddr on the server.  Also you stated that you changed
the XML port,  did you ensure that the new port was open on the firewall
as well? =3D3D3D20

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Paul Beckman
Sent: Tuesday, December 24, 2002 10:13 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] published apps through firewall.


I am running XP on W2k.
I have 1494, 1604, and 80 with a public address translated to my
internal Citrix IP. I can browse the apps but get an I/O error when
trying to connect. If I put the public address in the server box on a
custom ICA connection I can connect to the desktop. If I stop and
restart the IMA service I can connect to the published apps once, but if
I disconnect I can not reconnect. I have also put the XML port on a
different port # We do not have IIS running on this server. and I also
created open ports for another server and the same thing happens. I have
been on the phone with Citrix and no luck. =3D3D3D20 Does anyone have =
any
ideas? =3D3D3D20 Thanks, Paul


***********************************************=3D3D3D20
This Weeks Sponsor: 99point9.com
The 99Point9.com Online Tech Support=3D3D3D20
Helpdesk is the one-stop solution for all=3D3D3D20
your server-based computing needs.=3D3D3D20
http://www.99point9.com
************************************************
For Archives, to Unsubscribe, Subscribe or=3D3D3D20
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm

***********************************************=3D3D3D20
This Weeks Sponsor: 99point9.com
The 99Point9.com Online Tech Support=3D3D3D20
Helpdesk is the one-stop solution for all=3D3D3D20
your server-based computing needs.=3D3D3D20
http://www.99point9.com
************************************************
For Archives, to Unsubscribe, Subscribe or=3D3D3D20
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm
***********************************************=3D3D20
This Weeks Sponsor: 99point9.com
The 99Point9.com Online Tech Support=3D3D20
Helpdesk is the one-stop solution for all=3D3D20
your server-based computing needs.=3D3D20
http://www.99point9.com
************************************************
For Archives, to Unsubscribe, Subscribe or=3D3D20
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm

***********************************************=3D3D20
This Weeks Sponsor: 99point9.com
The 99Point9.com Online Tech Support=3D3D20
Helpdesk is the one-stop solution for all=3D3D20
your server-based computing needs.=3D3D20
http://www.99point9.com
************************************************
For Archives, to Unsubscribe, Subscribe or=3D3D20
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm
***********************************************=3D20
This Weeks Sponsor: 99point9.com
The 99Point9.com Online Tech Support=3D20
Helpdesk is the one-stop solution for all=3D20
your server-based computing needs.=3D20
http://www.99point9.com
************************************************
For Archives, to Unsubscribe, Subscribe or=3D20
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm
***********************************************=20
This Weeks Sponsor: 99point9.com
The 99Point9.com Online Tech Support=20
Helpdesk is the one-stop solution for all=20
your server-based computing needs.=20
http://www.99point9.com
************************************************
For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm
*********************************************** 
This Weeks Sponsor: 99point9.com
The 99Point9.com Online Tech Support 
Helpdesk is the one-stop solution for all 
your server-based computing needs. 
http://www.99point9.com
************************************************
For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link.

http://thethin.net/citrixlist.cfm

Other related posts: