But isnt https://remote.mycompany.com <https://remote.mycompany.com/> just a IIS page? So it would be using the IIS ssl port? Since IIS and CSG can not share it I would think you need to have port 444 (or what ever port IIS is using for SSL) Am I missing something here? Thanks Brian Rota, From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Shonk Sent: Tuesday, April 25, 2006 1:03 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CSG and Web Interface on 1 box No... Only CSG communicates with WI, not the user. User types in: https://remote.mycompany.com <https://remote.mycompany.com/> Remote.mycompany.com resolves to the IP of the CSG box User's browser connects to CSG box via port 443 CSG sees client connect request on 443. CSG talks to WI and gets the logon page CSG sends the WI logon page to the clients (over the current SSL connect) Client types in Password and clicks OK. CSG sends this request to the WI for authentication. WI enumerates apps and sends list to CSG which in turns sends it to the client (still over SSL) Client browses apps and click on App. CSG sends client request Apps to WI, WI builds the .ica complete an STA ticket and send the launch.ica file to the client (via the CSG server). The ICA client is launched with the launch.ica file on the client machine. The client makes a new connection the CSG server over SSL The CSG validates the STA ticket and setups up a connection the PS server. Joe ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Rota, Brian Sent: Tuesday, April 25, 2006 9:49 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CSG and Web Interface on 1 box But wouldn't I need to open port 444 to get to the site? So the user will get the web interface? Thanks Brian ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Shonk Sent: Tuesday, April 25, 2006 12:42 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CSG and Web Interface on 1 box That's not correct. Passwords are encrypted... The client makes it WI request to the CSG server over SSL (The 1 IP and 1 SSL I mentioned). CSG will then proxy the request to the WI Server. The client NEVER connects to port 80, only CSG. It's been like this since CSG 2.0. Remember, only port 443 is exposed... Port 80 is blocked off from the internet. Joe ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Rota, Brian Sent: Tuesday, April 25, 2006 9:33 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CSG and Web Interface on 1 box You can not log into the web interface using https if they are on one box. I have set several up in the past like that but the client does not want passwords sent over port 80 in clear text. Brian Brian Rota, MTM Technologies, Inc. (formerly NEXL, Inc.) Sr. Systems Engineer,MCSE,CCEA Tel. 978.538.3000 Cell 978.886.8127 ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Shonk Sent: Tuesday, April 25, 2006 12:26 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: CSG and Web Interface on 1 box Why? You only need 1 public IP address and 1 SSL certificate. The CSG service will proxy WI traffic for you. Both can reside on the same server... CSG runs on 443 and WI on 80 so there is no conflict. Joe ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Rota, Brian Sent: Tuesday, April 25, 2006 9:17 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] CSG and Web Interface on 1 box Hello I have a client with 25 users currently They are looking to upgrade the hardware that runs their CSG and Web interface currently on 2 servers. They would like to consolidate if possible to one box securely. Can this be done by hosting 2 Ip addresses on the same server? I know in the past you have had to change the SSL port on IIS to something like 444 to make it work. I was thinking 1 ip for CSG using an SSL cert and 1 ip for Web interface using a different SSL cert. Thanks Brian