Thanks Steve. In most cases (I would guess) some sort of communication would have to happen to backends inside firewalls anyway depending on the apps given to users. I don't see a huge risk in allowing a citrix server or two to talk to internal farm....After all it's only a few more ports open. Of course the fewer open the better. And of course if it was many servers in the DMZ then yes isolate. Now to work on that hardened Citrix build.... Malcolm From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Greenberg Sent: 25 April 2007 21:52 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Citrix on DMZ In these cases I am referring to the security policy dictated that there be no communication between the DMZ and the private network. Since there was to be no communication, that host could not effectively be part of an internal farm. Also, for the most part, these were single server implementations for specific B to B purposes so having a separate farm really just means a little more management work to handle and not much more cost. There are many other possible scenarios where some inside communications are allowed and this would allow the DMZ servers to be part of an internal farm but still limit end user sessions and connectivity to within the DMZ.... Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85262 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Malcolm Bruton Sent: Wednesday, April 25, 2007 11:46 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Citrix on DMZ Steve Why do you use a different farm? Do you see it offers significant security features by doing this. If so ,What exactly? If it's a small farm it's quite costly to build the redundancy. Malcolm From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Turman, David C. Sent: 25 April 2007 18:41 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Citrix on DMZ We have external customers (non-employees) that run a Term Server app (Powerbuilder 6.5). The TermServer app talks thru the firewall to an internal SQL server database. We just create user ID's in the external DMZ domain for them to use. What else would you suggest? ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Greenberg Sent: Wednesday, April 25, 2007 11:58 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Citrix on DMZ We have done it a number of times for secure government business to business applications. This is where the app and data is on the Presentation Server and the security policy disallows internal access. In these cases the server is usually a standalone farm and if I knew what was running on it they would have to kill me J Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85262 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Shonk Sent: Wednesday, April 25, 2007 6:03 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Citrix on DMZ Question. Why would want to put a Presentation server in the DMZ? I know there are some valid reasons, so make sure to take the litmus test first. It's 2512, 80 (or whatever the XML port is), 1494, 2598, 27000, the TS Licensing Port. Joe From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Turman, David C. Sent: Tuesday, April 24, 2007 12:51 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Citrix on DMZ If I were to put a Presentation Server 4.0 box on a DMZ, what ports would I need to open on the firewall to have it talk to and be a member of a Presentation Server 4.0 Citrix Farm on the insdie of the firewall? I'm assuming at least 1433. Any others or problems with doing this?