I too would rate your scenario the same - less exposure via an ICA connection rather than over a VPN. Mostly this is because ICA uses ports that attackers might not be familiar with. First steps would be to firewall all home machines connecting to your network via a broadband router and / or a personal firewall. Follow up by providing good virus protection software and updating signature often. Treat home machines that VPN with you just like you would machines in your internal network. -----Original Message----- From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx] Sent: Wednesday, October 09, 2002 8:34 AM To: 'citrixse@xxxxxxxxxxxxxxx'; 'thin@xxxxxxxxxxxxx' Subject: [THIN] A question from my security guys about exposure Setup: MF XPe, Nfuse 1.7 with CSG, no SSL relay configured. Most users only have access to published apps, though some have desktops. We are using a mix of ICA web clients and full PN clients, though will be moving to 99% web clients. Scenario: We have an at-home worker who has a PC that is direct connected to the Internet through a cable-modem or DSL (take your pick). The worker has a VPN connection to our network. Their PC at home has been back-doored. Now when the worker connects through the VPN, they are opening a connection to our network for whoever back-doored them. Now change the scenario, such that instead of a VPN connection, the worker is connecting to us via a Citrix connection over the web. Their PC still has the back-door on it. What is the equivelant exposure under this scenario? Can the person that controls the back-door hijack the Citrix session somehow or gain access to the resources on the network while the connection is active? I am guessing the exposure is not as great since that workstation isn't truly a node on the network as it would be under a VPN solution, but I am curious as to what other risks may exist and how we can safeguard against them if they exist. Thanks, Paul ********************************************** This weeks sponsor 99Point9.com 99Point9 helps solve your unresolved technical server-based questions, issues and incidents. http://www.99point9.com *********************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm ********************************************** This weeks sponsor 99Point9.com 99Point9 helps solve your unresolved technical server-based questions, issues and incidents. http://www.99point9.com *********************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm