[THIN] Re: 2-way browser SSL and CSG
- From: "Jay Jukes" <thin@xxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 8 Dec 2004 23:06:36 +0930
Correct me if I'm wrong but I think the other "Jay" is looking at using
client SSL certificates as a means of offering a second level of
authentication, similar to RSA or SecureComputing but without the hardware
tokens. Sounds similar to what I've seen done with LT2P/IPSec VPN's.
The idea I believe is to only allow access from machines with a valid client
certificate, that way it doesn't matter if a user's username/password is
compromised, the client's SSL certificate is also still required.
Cheers
Jay
----- Original Message -----
From: "Joe Shonk" <joe@xxxxxxxxxxxxxxxxxxx>
To: <thin@xxxxxxxxxxxxx>
Sent: Wednesday, December 08, 2004 10:59 PM
Subject: [THIN] Re: 2-way browser SSL and CSG
> Hmm... Not quite sure what your getting at... WI is encrypted via SSL when
> accessed through CSG. Not quite sure why this isn't secure. If you need
> additional security, you can use safeword or some other token id for
> 2-factor authentication. It sounds like you'd rather have a VPN than
WI/SG.
>
> Joe
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf
> Of Jay Moock
> Sent: Wednesday, December 08, 2004 6:18 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: 2-way browser SSL and CSG
>
> We want to do this because having basically a NT login prompt hanging out
on
> the internet is not secure enough for us.
>
> I already have both set up on one box with one IP and one server-side
cert.
> What I'm talking about are client-side certs so that we can control what
end
> users are able to connect to the WI.
>
> Thanks,
> Jay
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf
> Of Joe Shonk
> Sent: Wednesday, December 08, 2004 12:08 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: 2-way browser SSL and CSG
>
> First question, why? CSG will proxy HTTPS request for WI. If you want
> both on the same box, assign 1 IP address to WI and 1 to SG. If you MUST
> run off of 1 ip address, you will want to disable socket pooling if you
are
> to SSL. Again, why? SG only needs 1 address and it will encrypt the WI
> traffic for you, no need to install a SSL cert for WI.
>
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf
> Of Jay Moock
> Sent: Tuesday, December 07, 2004 1:48 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] 2-way browser SSL and CSG
>
> Trying to test client SSL certs on our CSG server as an alternative to
> SafeWord or RSA. I'm running into a problem with it though. Currently, I
> have both CSG and WI on the same box. CSG listens on 443 and IIS listens
on
> 444. If I enable client SSL in IIS then it apparently is trying to get a
> cert from CSG (which of course fails). If I go straight to port 444 on
the
> CSG/WI box then the client SSL works as it should, but of course then
you're
> bypassing CSG, sort of. If I go in to CSG Admin my session does show up,
> which doesn't quite make sense, but I'm willing to accept it if it doesn't
> create any issues.
>
> Is anyone else doing anything like this? If I flip the ports (change IIS
to
> 443 and CSG to 444) and have users go straight to 443 am I opening myself
up
> to any potential problems?
>
> Thanks,
> Jay
>
> ********************************************************
> This Weeks Sponsor Activaeon.com
> Reduce licensing costs with activAeon XA and get one month completely
free.
> http://www.activaeon.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use
> the below link:
> http://thin.net/citrixlist.cfm
>
> ********************************************************
> This Weeks Sponsor Activaeon.com
> Reduce licensing costs with activAeon XA and get one month completely
free.
> http://www.activaeon.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use
> the below link:
> http://thin.net/citrixlist.cfm
>
> ********************************************************
> This Weeks Sponsor Activaeon.com
> Reduce licensing costs with activAeon XA and
> get one month completely free.
> http://www.activaeon.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
> ********************************************************
> This Weeks Sponsor Activaeon.com
> Reduce licensing costs with activAeon XA and
> get one month completely free.
> http://www.activaeon.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
********************************************************
This Weeks Sponsor Activaeon.com
Reduce licensing costs with activAeon XA and
get one month completely free.
http://www.activaeon.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
