Hi Andrew, I may be off topic here and am certainly not trying to vendor pitch but given you mention Environment Manager and Application Manager you may have overlooked a feature within Application Manager - Advanced Network Access Control. In AM you can apply executable restriction rules right, like adding a group and then going into deny and blocking say CMD.EXE - obviously you can also do the reverse, block everything yet allow this and that. Well, in 8.0 (current release) you can also do the same with network ports, shares and URL's. Just go into either a group rule, user rule or device rule and in either the allow or deny list choose to add an item only choose Network Item. We (AppSense) introduced this feature for the finance sector where what you describe is the norm. This way you can put a mini-firewall around specific users / groups etc and prevent them from going outside of their machine (I.e. double-hopping onto another machine). Again, you can restrict shares and URL if required using the same feature. Sorry to product pitch but just wanted to let you know that what you're trying to do may already be possible with the products your looking at. Cheers, Jon http://www.insidetheregistry.com From: Andrew Wood Sent: Tuesday, August 25, 2009 1:10 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: speaking of security nazis Two-factor authentication is not in the budget, so not an option . in all fairness, if that's a statement that the business is pushing and you've external access .. they're only playing at being Security Nazis. They'll be some sort of 'oo what if they get admin access' stuff going on here as well I bet- in which case shell out on Environment and Application Manager from Appsense - lock out applications and give reporting; lock out application access and give reporting. Get an independent assessment of the access by a 3rd party. If you want something *else*. I've seen one product that suggests it does protocol inspection on 1494 - but all *that's* going to do is see if you're injecting anything naughty into the ICA stream. For the life of me I can't find the company now. What you're more than likely asking for is a product that will monitor a session and then alert when someone opens a command prompt or the CMC.and essentially that's locked out with windows & citrix security and policies, and more locked down and reported on with Appsense. It's all a bit moot if you've not bothered to secure your external access by only using a username/password mind - or but your servers raw on to the internet. It's amazing how many hits you'll get back looking for raw published citrix servers in google, and scary how many you can connect to anonymously and erm.. apparently shocking on how many you can launch a command prompt on. so I've been told. You could obviously monitor sessions with session recording and playback - there are 3rd party tools available now which means you don't need to be running enterprise edition to allow this. Ask them for a MoSCoW security policy statement and then provide an assessment based on the available security with/without the likes of Appsense. From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Wilson, Christopher Sent: 25 August 2009 15:45 To: thin@xxxxxxxxxxxxx Subject: [THIN] speaking of security nazis The AppSense conversation reminds me of something else I want to bounce off you guys. I am working at a company now that places I high priority on security - perhaps more than I'm used to. I'm planning a consolidation of several Citrix farms, one of which resides a DMZ. A small subset of business apps are hosted here (Office and files shares really), because it was deemed too great a risk to provide access to the whole internal Citrix environment. The security team believes Citrix Secure Gateway with single factor authentication doesn't provide enough protection from external attack and thus won't point it at internal farms. (This is foreign to me since I think of this as a limited VPN, and they do have VPN access.) So here's where I'm interested in your input. Two-factor authentication is not in the budget, so not an option. Is CSG that much of a risk to merit this kind of concern? Is CAG sufficiently better to mitigate some of this concern? How are others doing it? My own experience is that I've seen lots of CSG, a little CAG, and two factor authentication primarily at larger companies. I want to be able to roll this DMZ farm internal, and provide the benefits of remote access for all apps they've been missing out on. But I'll have to get past the security guys first.