[THIN] Re: CSG and NFuse question - What if?
- From: "Alexander Danilychev" <teknica@xxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Tue, 17 Dec 2002 08:23:09 -0800
Hi Brian,
A. NFuse box should talk with outside world ports 80 and 443, since initial
communication happens unsecured through port 80. It is inconvenient to start
on any other port prior to authentication over port 443. With only port 443
you will have to use redirection from another web server that starts user on
port 80.
B. Obviously CSG can be set to work on most any port but there is a
problem... Your client accessing CSG is very likely to have his own
firewall, so port 9999 might be blocked. Conclusion: keep 443 for CSG.
C. Placing STA on inside with port 90 is inconvenient - more work, since you
have to open additional inbound port 90 on your internal firewall. As I have
mentioned previously, there is little or no risk to place STA on DMZ as long
as it is not visible to outside. STA's task is to generate tickets and
verify them. There is no sensitive information stored on STA server and it
is only open to denial of service attacks. I will not even encrypt STA
traffic; however port 443 is better as compared to 90.
Again, save some money by placing STA on multi-homed NFuse box (or protect
STA directory by access list on single-homed NFuse).
D. Important aspect of securing CSG and NFuse deployment is ENCRYPTION OF
XML TRAFFIC - you will need additional certificate to do that. That
certificate can be homegrown, since XML service is running on the local
network. As such, you will have port 443 open for XML service.
Conclusion:
Only ports 80 and 443 are open on outside and inside layer of DMZ
ALEX
>From: "Murphy, Brian" <bmurphy@xxxxxxxxxxxxxxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
>Subject: [THIN] Re: CSG and NFuse question - What if?
>Date: Mon, 16 Dec 2002 21:40:26 -0600
>
>Question? What would be the main issues in a nutshell.
>
>If you have an Nfuse Box on a highly secure DMZ. You have an SSL
>Certificate on the Nfuse Box and only Port 443 is allowed to pass from the
>external to DMZ. You have CSG configured on port 9999 and it speaks to the
>STA on the LAN side running on port 90. To add a layer you can ACL off the
>external (Outside-in) of you firewall to only allow specific IP addreses to
>connect via the Nat'd addresses.
>
>You have explicit access list that only allows xml traffic and STA traffic
>from the DMZ Box to the STA and Citrix XP server. The STA and Citrix XP
>box
>is Vlan'd off from the primary LAN. The XP server is in a separate Farm
>and
>will only allow connections from the specified DMZ subnet?
>
>In this scenario you could have two DMZ boxes configured identical to
>backup
>one another. In the other scenario if you lose one or the other box your
>hard down?
>
>I asking for everyone's honest opinion on this? Is there something wrong
>with this scenario??
>
>Thanks.
>Murphy
>
>-----Original Message-----
>From: Alexander Danilychev [mailto:teknica@xxxxxxxxxxx]
>Sent: Monday, December 16, 2002 3:55 PM
>To: thin@xxxxxxxxxxxxx
>Cc: jjensen@xxxxxxxxx
>Subject: [THIN] Re: CSG and NFuse question
>
>
>
>Hi all,
>
>In general it is not a good idea to have CSG on the same box as NFuse. This
>was discussed in detail at this user group, however here is a short
>version:
>=========================================
>1. Regarding internal and external NFuse:
>=========================================
>Unless SSL encapsulation for ICA traffic is required, I will recommend
>separate NFuse boxes - external with CSG and STA support and internal with
>just secure ICA. Note that SSL login is recommended for both NFuse
>implementations. One box will work but some customization is required (see
>below).
>=========================================
>2. Regarding CSG configuration: =========================================
>Unless there is no resources period, use a separate box. If not, use
>multi-homing and DO NOT change standard ports on your server. Note that STA
>should not be visible from outside.
>
>Usual scenario (reasonable costs) involves two boxes - one for CSG and
>another for NFuse with STA (STA recommended to multi-home with NFuse).
>Remember that NFuse and STA need web server and CSG does not!
>
>HTTP connections are stateless - your NFuse and STA are disconnected from
>your users most of the time. On the contrary CSG will pass your ICA traffic
>continuously, so web hits can potentially disrupt the traffic making CSG
>merger with either STA or especially NFuse unusable.
>=========================================
>3. Regarding load balancing: =========================================
>Load balancing is recommended mostly for higher availability, i.e. if any
>of
>
>the boxes go down. Only large sites with 500-1000 users will benefit from
>load balancing performance wise. You can also use multiple STAs which are
>statically mapped with NFuse and CSG (so no "additional" load balancing for
>STA - Citrix takes care of that). =========================================
>4. Regarding DMZ
>=========================================
>Usually NFuse and CSG go on DMZ. If you do not expose STA to outside, DMZ
>is
>
>fine for STA as well - it is an overkill to hide STA on additional box
>behind DMZ on your internal network.
>
>As was mentioned previously, local NFuse should run on a separate local
>box.
>
>Obviously you can use one NFuse box on DMZ and separate external users from
>internal ones by IP address and serve different content based on user
>origin, thus eliminating need to run two NFuse implementations.
>
>Although out of the box configuration is easier with two NFuses, this is a
>perfectly acceptable configuration, just make sure you do not run your
>internal users through CSG without justification.
>
>PS
>Do not mess with ports
>
>ALEX
>
>
>
> >From: "Murphy, Brian" <bmurphy@xxxxxxxxxxxxxxxxxxx>
> >Reply-To: thin@xxxxxxxxxxxxx
> >To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
> >Subject: [THIN] Re: CSG and NFuse question
> >Date: Mon, 16 Dec 2002 14:00:22 -0600
> >
> >Why not run CSG and Nfuse on the same box. You must be running XP in
> >order to use CSG so you XML service port should be 80. Setup a
> >stand-alone XP box on the Lan side with STA running on it. Set the STA
> >(IIS) to run on port 90.
> >
> >Configure DMZ Nfuse to run on Standard port 80 for client requests
> >(Http). However, configure CSG to listen on some other unused port like
>9999.
> >Using
> >the Nfuse Admin tool configure your CSG Server to <FQDN>:9999
> >
> >-----Original Message-----
> >From: Jensen, Jay [mailto:jjensen@xxxxxxxxx]
> >Sent: Monday, December 16, 2002 12:30 PM
> >To: Thin Client E-mail Group (E-mail)
> >Subject: [THIN] CSG and NFuse question
> >
> >
> >
> >I know for some of you this sounds like a stupid question but I need to
> >get it clear in my head.
> >
> >We are putting a CItrix Secure Gateway (Win2k Server SP2) into our DMZ.
> >We gave a STA server available so getting a SSL certificate shouldn't be
>a
> >problem. Our NFuse Web Server is sitting in the Internal Network. I am
> >thinking I need to build a 2nd NFuse Web Server in the DMZ for my
> >internet
> >(external) users and leave my internal NFuse Web Server in the internal
> >network. Is this correct or should I move my internal NFuse Web Server
> >into
> >the DMZ and let my external and internal customers connect on the one
>box?
> >
> >I know for Load Balancing and up time I would need dupicate connect
> >points but thia is another discussion.
> >
> >Thanks all.
> >Jay
> >***********************************************
> >This Weeks Sponsor: 99point9.com
> >The 99Point9.com Online Tech Support
> >Helpdesk is the one-stop solution for all
> >your server-based computing needs.
> >http://www.99point9.com
> >************************************************
> >For Archives, to Unsubscribe, Subscribe or
> >set Digest or Vacation mode use the below link.
> >
> >http://thethin.net/citrixlist.cfm
> >
> >
> >***********************************************
> >This Weeks Sponsor: 99point9.com
> >The 99Point9.com Online Tech Support
> >Helpdesk is the one-stop solution for all
> >your server-based computing needs.
> >http://www.99point9.com
> >************************************************
> >For Archives, to Unsubscribe, Subscribe or
> >set Digest or Vacation mode use the below link.
> >
> >http://thethin.net/citrixlist.cfm
>
>
>_________________________________________________________________
>Tired of spam? Get advanced junk mail protection with MSN 8.
>http://join.msn.com/?page=features/junkmail
>
>***********************************************
>This Weeks Sponsor: 99point9.com
>The 99Point9.com Online Tech Support
>Helpdesk is the one-stop solution for all
>your server-based computing needs.
>http://www.99point9.com
>************************************************
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link.
>
>http://thethin.net/citrixlist.cfm
>
>
>***********************************************
>This Weeks Sponsor: 99point9.com
>The 99Point9.com Online Tech Support
>Helpdesk is the one-stop solution for all
>your server-based computing needs.
>http://www.99point9.com
>************************************************
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link.
>
>http://thethin.net/citrixlist.cfm
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
***********************************************
This Weeks Sponsor: 99point9.com
The 99Point9.com Online Tech Support
Helpdesk is the one-stop solution for all
your server-based computing needs.
http://www.99point9.com
************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
Other related posts:
