[THIN] Re: Citrix via port 80 and 443
- From: "Alexander Danilychev" <teknica@xxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Wed, 18 Dec 2002 14:07:19 -0800
There is no reason to expose scripts folder or use scripts folder to begin
with. Sta dll should be visible only to csg and nfuse, not to metaframe or
outside users. You can use multi-homing or restrict access to scripts by ip
address.
ALEX
>From: "Joe Shonk" <JShonk@xxxxxxxxxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: <thin@xxxxxxxxxxxxx>
>Subject: [THIN] Re: Citrix via port 80 and 443
>Date: Wed, 18 Dec 2002 13:35:49 -0800
>
>
>I'm not quite sure about NFuse and the STA on the same box... The =
>scripts directory requires write access for the STA service to function =
>properly... And if web server is publicly available, it will be easier =
>to compromise. IIS will always be the weakest link (As long as MS =
>treats security as a PR issue). Having the STA service on a Public =
>webserver would be almost like making it a Domain Controller...
>
>
>
>-----Original Message-----
>From: Alexander Danilychev [mailto:teknica@xxxxxxxxxxx]
>Sent: Wednesday, December 18, 2002 11:09 AM
>To: thin@xxxxxxxxxxxxx
>Subject: [THIN] Re: Citrix via port 80 and 443
>
>
>
>You need two boxes for C since multi-homed web server with CSG is no =
>good=20
>(you can do it obviously. As we know need to disable socket pooling on =
>IIS=20
>etc, etc...).
>
>STA on MetaFrame is not that bad since STA load is virtually ZERO. From=20
>security prospective and load balancing of MetaFrame I will not mess =
>with=20
>MetaFrame/STA combination. I like to keep SAT on DMZ contrary to =
>official=20
>documentation and I think Citrix engineers are in agreement with that =
>(hide=20
>STA from outside as prescribed).
>
>Port 1494 is required as you pointed out.
>
>So, one box for CSG, one for NFuse and STA, another set of boxes for =
>load=20
>balanced MetaFrame farm. CSG, NFuse and STA are on DMZ, MetaFrame =
>behind.
>Outside ports - 80 and 443, on inside 80, 443 and 1494, or only 443 and=20
>1494.
>
>One cert for CSG (public cert), one cert for NFuse (public cert), one =
>cert=20
>for XML (can be homegrown). ICA - 128-bit.
>
>OK?
>
>ALEX
>
> >From: "Joe Shonk" <JShonk@xxxxxxxxxxxxxx>
> >Reply-To: thin@xxxxxxxxxxxxx
> >To: <thin@xxxxxxxxxxxxx>
> >Subject: [THIN] Re: Citrix via port 80 and 443
> >Date: Wed, 18 Dec 2002 08:32:57 -0800
> >
> >
> >Scenario C works best: NFuse and CSG bothing running on port 443.
> >
> >The STA can go on the Metaframe Server.
> >
> >Joe
> >
> >-----Original Message-----
> >From: Alexander Danilychev [mailto:teknica@xxxxxxxxxxx]
> >Sent: Tuesday, December 17, 2002 8:19 PM
> >To: thin@xxxxxxxxxxxxx
> >Subject: [THIN] Re: Citrix via port 80 and 443
> >
> >
> >
> >Just to make sure:
> >
> >Yes, you can make NFuse to work with CSG and STA all on the same box.
> >Besides stability at heavy loads and "hackability" the main problem =
>is=3D20
> >associated with standard ports open at client firewalls, thus limiting =
>=3D
> >us to=3D20
> >ports 80 and 443. This effectively narrows possibilities to:
> >-----------------------
> >Scenario A:
> >-----------------------
> >Have no SSLed authentication for NFuse (bad) and deploy CSG via =
>standard =3D
> >
> >port 443.
> >-----------------------
> >Scenario B:
> >-----------------------
> >Have SSLed CSG on port 80 (problems with small number of firewalls) =
>with =3D
> >
> >SSLed NFuse on port 443.
> >
> >STA goes on the same port as NFuse with access list protection.
> >
> >Note that scenario B uses SSL on both ports - 80(!) and 443. Only =
>one=3D20
> >certificate is required.
> >
> >Again, it will work. However this is only useful as exercise, not =
>a=3D20
> >production grade solution.
> >
> >ALEX
> >
> >
> >
> > >From: "Rowlandson, John" <John.Rowlandson@xxxxxxxxxxxxx>
> > >Reply-To: thin@xxxxxxxxxxxxx
> > >To: <thin@xxxxxxxxxxxxx>
> > >Subject: [THIN] Re: Citrix via port 80 and 443
> > >Date: Wed, 18 Dec 2002 11:55:17 +1100
> > >
> > >
> > >
> > >
> > >Nick
> > >
> > >You need a cert for your csg box and 1 for your https:// url
> > >
> > >Not many people know that CSG was developed in good old sydney =3D
> >australia
> > >:D
> > >
> > >John
> > >
> > >
> > >-----Original Message-----
> > >From: Nick Crisp [mailto:ncrisp@xxxxxxxxxxxxxxxxxxxxxxx]=3D3D20
> > >Sent: Wednesday, December 18, 2002 11:49 AM
> > >To: thin@xxxxxxxxxxxxx
> > >Subject: [THIN] Re: Citrix via port 80 and 443
> > >
> > >
> > >
> > >Thanks for your input everyone
> > >Doing this without Elite may make things more simple, I'll give it a =
>go
> > >I was having trouble testing it because I couldn't get it to =
>function,
> > >but I think this is because I was trying to get as much of it as
> > >possible onto a one machine... Can anyone tell me if I need a second =
>=3D
> >web
> > >cert for the CSG, or not? Thanks Nick
> > >
> > >
> > >Nick Crisp
> > >Network Manager
> > >www.pinnaclesoftware.com.au
> > >
> > >
> > >-----Original Message-----
> > >From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
> > >Behalf Of Alexander Danilychev
> > >Sent: Wednesday, 18 December 2002 3:29 AM
> > >To: thin@xxxxxxxxxxxxx
> > >Cc: ncrisp@xxxxxxxxxxxxxxxxxxxxxxx
> > >Subject: [THIN] Re: Citrix via port 80 and 443
> > >
> > >
> > >
> > >Hi,
> > >
> > >It depends on your own firewall and more importantly your clients
> > >firewalls.=3D3D20
> > >I will not bet on it, i.e. I have personally witnessed when this
> > >approach=3D3D20
> > >did not work. There are many sites that do that however and not only
> > >with=3D3D20
> > >ICA but with RDP as well.
> > >
> > >Note that success of CSG is partially based on the fact that ICA is =
>=3D
> >now=3D3D20
> > >"Internet friendly" versus RDP.
> > >
> > >ALEX
> > >
> > >
> > >
> > > >From: "Ron Oglesby" <roglesby@xxxxxxxxxxxx>
> > > >Reply-To: thin@xxxxxxxxxxxxx
> > > >To: <thin@xxxxxxxxxxxxx>
> > > >Subject: [THIN] Re: Citrix via port 80 and 443
> > > >Date: Tue, 17 Dec 2002 08:24:48 -0600
> > > >
> > > >
> > > >Yes. It really works. Of course every one of them I have done has =
>=3D
> >been
> > > >with NFuse classic not NFuse elite(which last I heard was still a =
>=3D
> >big=3D3D20
> > > >security hole) but if you are just trying to get an app to run all =
>=3D
> >you=3D3D20
> > > >need is NFuse classic, the metaframe servers and CSG.
> > > >
> > > >Ron
> > > >
> > > >Ron Oglesby
> > > >Senior Technical Architect
> > > >=3D3D3D20
> > > >RapidApp
> > > >Office 312.372.7188
> > > >Mobile 312.961.2380
> > > >email roglesby@xxxxxxxxxxxx
> > > >=3D3D3D20
> > > >
> > >
> > >
> > >***********************************************=3D3D20
> > >This Weeks Sponsor: 99point9.com
> > >The 99Point9.com Online Tech Support=3D3D20
> > >Helpdesk is the one-stop solution for all=3D3D20
> > >your server-based computing needs.=3D3D20
> > >http://www.99point9.com
> > >************************************************
> > >For Archives, to Unsubscribe, Subscribe or=3D3D20
> > >set Digest or Vacation mode use the below link.
> > >
> > >http://thethin.net/citrixlist.cfm
> > >***********************************************
> > >This Weeks Sponsor: 99point9.com
> > >The 99Point9.com Online Tech Support
> > >Helpdesk is the one-stop solution for all
> > >your server-based computing needs.
> > >http://www.99point9.com
> > >************************************************
> > >For Archives, to Unsubscribe, Subscribe or
> > >set Digest or Vacation mode use the below link.
> > >
> > >http://thethin.net/citrixlist.cfm
> >
> >
> >_________________________________________________________________
> >The new MSN 8: advanced junk mail protection and 2 months FREE*=3D20
> >http://join.msn.com/?page=3D3Dfeatures/junkmail
> >
> >***********************************************=3D20
> >This Weeks Sponsor: 99point9.com
> >The 99Point9.com Online Tech Support=3D20
> >Helpdesk is the one-stop solution for all=3D20
> >your server-based computing needs.=3D20
> >http://www.99point9.com
> >************************************************
> >For Archives, to Unsubscribe, Subscribe or=3D20
> >set Digest or Vacation mode use the below link.
> >
> >http://thethin.net/citrixlist.cfm
> >***********************************************
> >This Weeks Sponsor: 99point9.com
> >The 99Point9.com Online Tech Support
> >Helpdesk is the one-stop solution for all
> >your server-based computing needs.
> >http://www.99point9.com
> >************************************************
> >For Archives, to Unsubscribe, Subscribe or
> >set Digest or Vacation mode use the below link.
> >
> >http://thethin.net/citrixlist.cfm
>
>
>_________________________________________________________________
>The new MSN 8: smart spam protection and 2 months FREE* =20
>http://join.msn.com/?page=3Dfeatures/junkmail
>
>***********************************************=20
>This Weeks Sponsor: 99point9.com
>The 99Point9.com Online Tech Support=20
>Helpdesk is the one-stop solution for all=20
>your server-based computing needs.=20
>http://www.99point9.com
>************************************************
>For Archives, to Unsubscribe, Subscribe or=20
>set Digest or Vacation mode use the below link.
>
>http://thethin.net/citrixlist.cfm
>***********************************************
>This Weeks Sponsor: 99point9.com
>The 99Point9.com Online Tech Support
>Helpdesk is the one-stop solution for all
>your server-based computing needs.
>http://www.99point9.com
>************************************************
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link.
>
>http://thethin.net/citrixlist.cfm
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
***********************************************
This Weeks Sponsor: 99point9.com
The 99Point9.com Online Tech Support
Helpdesk is the one-stop solution for all
your server-based computing needs.
http://www.99point9.com
************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link.
http://thethin.net/citrixlist.cfm
Other related posts:
