Correct me if I'm wrong but I think the other "Jay" is looking at using client SSL certificates as a means of offering a second level of authentication, similar to RSA or SecureComputing but without the hardware tokens. Sounds similar to what I've seen done with LT2P/IPSec VPN's. The idea I believe is to only allow access from machines with a valid client certificate, that way it doesn't matter if a user's username/password is compromised, the client's SSL certificate is also still required. Cheers Jay ----- Original Message ----- From: "Joe Shonk" <joe@xxxxxxxxxxxxxxxxxxx> To: <thin@xxxxxxxxxxxxx> Sent: Wednesday, December 08, 2004 10:59 PM Subject: [THIN] Re: 2-way browser SSL and CSG > Hmm... Not quite sure what your getting at... WI is encrypted via SSL when > accessed through CSG. Not quite sure why this isn't secure. If you need > additional security, you can use safeword or some other token id for > 2-factor authentication. It sounds like you'd rather have a VPN than WI/SG. > > Joe > > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf > Of Jay Moock > Sent: Wednesday, December 08, 2004 6:18 AM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: 2-way browser SSL and CSG > > We want to do this because having basically a NT login prompt hanging out on > the internet is not secure enough for us. > > I already have both set up on one box with one IP and one server-side cert. > What I'm talking about are client-side certs so that we can control what end > users are able to connect to the WI. > > Thanks, > Jay > > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf > Of Joe Shonk > Sent: Wednesday, December 08, 2004 12:08 AM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: 2-way browser SSL and CSG > > First question, why? CSG will proxy HTTPS request for WI. If you want > both on the same box, assign 1 IP address to WI and 1 to SG. If you MUST > run off of 1 ip address, you will want to disable socket pooling if you are > to SSL. Again, why? SG only needs 1 address and it will encrypt the WI > traffic for you, no need to install a SSL cert for WI. > > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf > Of Jay Moock > Sent: Tuesday, December 07, 2004 1:48 PM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] 2-way browser SSL and CSG > > Trying to test client SSL certs on our CSG server as an alternative to > SafeWord or RSA. I'm running into a problem with it though. Currently, I > have both CSG and WI on the same box. CSG listens on 443 and IIS listens on > 444. If I enable client SSL in IIS then it apparently is trying to get a > cert from CSG (which of course fails). If I go straight to port 444 on the > CSG/WI box then the client SSL works as it should, but of course then you're > bypassing CSG, sort of. If I go in to CSG Admin my session does show up, > which doesn't quite make sense, but I'm willing to accept it if it doesn't > create any issues. > > Is anyone else doing anything like this? If I flip the ports (change IIS to > 443 and CSG to 444) and have users go straight to 443 am I opening myself up > to any potential problems? > > Thanks, > Jay > > ******************************************************** > This Weeks Sponsor Activaeon.com > Reduce licensing costs with activAeon XA and get one month completely free. > http://www.activaeon.com > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > ThinWiki community > http://www.thinwiki.com > *********************************************************** > For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use > the below link: > http://thin.net/citrixlist.cfm > > ******************************************************** > This Weeks Sponsor Activaeon.com > Reduce licensing costs with activAeon XA and get one month completely free. > http://www.activaeon.com > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > ThinWiki community > http://www.thinwiki.com > *********************************************************** > For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use > the below link: > http://thin.net/citrixlist.cfm > > ******************************************************** > This Weeks Sponsor Activaeon.com > Reduce licensing costs with activAeon XA and > get one month completely free. > http://www.activaeon.com > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > ThinWiki community > http://www.thinwiki.com > *********************************************************** > For Archives, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > http://thin.net/citrixlist.cfm > > ******************************************************** > This Weeks Sponsor Activaeon.com > Reduce licensing costs with activAeon XA and > get one month completely free. > http://www.activaeon.com > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > ThinWiki community > http://www.thinwiki.com > *********************************************************** > For Archives, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > http://thin.net/citrixlist.cfm > ******************************************************** This Weeks Sponsor Activaeon.com Reduce licensing costs with activAeon XA and get one month completely free. http://www.activaeon.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm