[THIN] Re: Hold it!!!: There is no Citrix SSL Server configured on the specified address.
- From: "Alexander Danilychev" <teknica@xxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Thu, 13 Mar 2003 08:59:43 -0800
Hi Joe,
Here is a simple example - you get a heavy hit on the web server by
something like Red Worm and your HTTP users will not even know. Your CSG or
MetaFrame users will get dropped right there. So, do not put them on the
same box, unless Citrix creates an integrated app as you say. For
load-balancing reasons, security and stability NFuse should never be coupled
with reverse proxies such as CSG.
At first glance STA on MetaFrame does not look that bad, after all MetaFrame
generates its own tickets, however STA tickets are generated for multiple
servers and a downed MetaFrame box (within ticket window) will jeopardize
connections to other servers - if you would like your STA to be rock solid
do not put it on MetaFrame.
Regarding "Authentication/Ticketing should always be done internally" - STA
creates and verifies tickets and has nothing to do with authentication and
the only risk with STA is denial of service attack. So, if you drop STA on
NFuse box (on a different IP if possible) you are not compromising your
security. With different IP (not visible from outside!) you can loadbalance
NFuse and STA independently.
ALEX
>From: "Joe Shonk" <JShonk@xxxxxxxxxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: <thin@xxxxxxxxxxxxx>
>Subject: [THIN] Re: Hold it!!!: There is no Citrix SSL Server configured on
>the sp ecified address.
>Date: Thu, 13 Mar 2003 08:26:57 -0800
>
>
>Ugh, not sure where you are getting those idea, but it is never =
>recommended to put the STA on the NFuse box. Especially if it's in the =
>DMZ. Authenication/Ticketing should always be done internally.
>
>The STA on the Metaframe Server is fine, this is how most installations =
>end up as who wants to dedicate a $2000 server for a simple function =
>like STA.
>
>NFuse/CSG combination is OK.. Many people are doing this. This will be =
>native for the next release of CSG(if I am allow to say that much).
>
>-----Original Message-----
>From: Alexander Danilychev [mailto:teknica@xxxxxxxxxxx]
>Sent: Wednesday, March 12, 2003 11:55 PM
>To: thin@xxxxxxxxxxxxx
>Subject: [THIN] Hold it!!!: There is no Citrix SSL Server configured on
>the sp ecified address.
>
>
>
>--------------------------
>Hey, guys, don't go nuts!
>--------------------------
>
>1. Get STA away from MetaFrame to NFuse box.
>Secure "scripts" folder either by multi-homing or by IP restriction - =
>STA=20
>should be visible only by NFuse and CSG.
>2. "Port sharing" is a bad term - do not use it (I guess it came from =
>Citrix=20
>marketing not tech guys) - STA as well as XML implementation without=20
>listener runs in the scope of IIS, so no "port sharing" here.
>3. XML service, that defaults to port 80 requires IIS, which makes since =
>
>when you plan to use SSL to secure XML traffic and thus port 443, if=20
>security is not a concern(?!) - use XML service with it's own listener =
>(in=20
>that case it actually runs as a service and you can see it among =
>services=20
>applets).
>
>So:
>--------------------------
>1. Install STA on the same box as NFuse (use multi-homing when =
>everything=20
>works)
>2. Install CSG on a separate box. My recommendation is to install IIS =
>for=20
>certificate installation and troubleshooting - disable IIS when starting =
>
>CSG.
>3. On MetaFrame side have IIS installed (if you do not like it - install =
>XML=20
>listener and run it as a service). I like IIS, since to secure XML =
>service=20
>otherwise you will need to run Citrix SSL Relay (remember that one?)
>
>3 box solution (NFuse/STA, CSG and MetaFrame farm) - the easiest to=20
>implement and do not confuse yourself by hiding STA behind DMZ - =
>original=20
>Citrix configuration is an overkill.
>
>Again, STA should leave on IIS system where stateless connections are =
>the=20
>norm. Do not put STA or NFuse on boxes like CSG or MetaFrame where=20
>connections are always on, unless users can tolerate dropped =
>connections.=20
>IIS on MetaFrames for XML is not an issue and is a better choyce for =
>SSLed=20
>XML.
>
>ALEX
>
>
> >From: "Chris Lynch" <lynch00@xxxxxxx>
> >Reply-To: thin@xxxxxxxxxxxxx
> >To: <thin@xxxxxxxxxxxxx>
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the sp=20
> >ecified address.
> >Date: Wed, 12 Mar 2003 22:10:53 -0800
> >
> >
> >=3D20
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Ok. I have run into this in the past, but I don't know if this is =3D
> >causing your problem. If you have XML port sharing on your MetaFrame =
>=3D
> >server, then you will need to disable this. You will move your IIS =
>port =3D
> >from 80 to 81, and make sure that this rule has been changed in the =3D
> >firewall to reflect this. Also, to make sure you add this in the NFuse =
>=3D
> >page as http://servername:81/scripts/... Also, reconfigure the CSG and =
>=3D
> >selected Advanced. You will then be able to specify the port the STA =
>is =3D
> >listening on (default again is 80, change that to 81). On your =3D
> >MetaFrame box that hosts the STA, unregister the XML service =3D
> >(CTXXMLS.EXE /U, or something like that), then re-register it with =
>/R80.
> >
> >Then, try it again.
> >
> >I have seen this happen on a MetaFrame XPe server running FR2/SP2, and =
>I =3D
> >had to make this change for this to work properly. I haven't taken the =
>=3D
> >time to investigate as to why, as I have installed CSG numerous times. =
>=3D
> >Mainly, I have always had another server dedicated for the STA. Oh =3D
> >well.
> >
> >Let me know how it goes.
> >
> >Chris
> >
> >- -----Original Message-----
> >From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On =
>=3D
> >Behalf Of Joe Shonk
> >Sent: Wednesday, March 12, 2003 9:32 PM
> >To: thin@xxxxxxxxxxxxx
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the sp =
>=3D
> >ecified address.
> >
> >
> >
> >Do you have a seperate website in IIS for CSG (to install the =3D3D
> >certificate)
> >You do have seperate IP addresses bound to the NIC. Once for IIS and =
>=3D
> >=3D3D one for CSG? You have disabled the IIS website for CSG (after =3D
> >installing the =3D3D
> >certificate)
> >You have disabled Socket Pooling for IIS (this is required to get NFUSE =
>=3D
> >=3D3D and CSG to both utilize port 443 on the same server)
> >
> >Joe
> >
> >- -----Original Message-----
> >From: Chris Hardy [mailto:Chris.Hardy@xxxxxxxxxxxxx]
> >Sent: Wednesday, March 12, 2003 9:17 PM
> >To: 'thin@xxxxxxxxxxxxx'
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the sp =
>=3D
> >ecified address.
> >
> >
> >
> >I've got no hair left!!
> >
> >I may be going mad but these are my firewall rules, I'm sure this is =
>all =3D
> >=3D3D you need for a proper CSG solution.
> >
> >1. External access on port 443 to the Nfuse and CSG boxes (same box) - =
>=3D
> >=3D3D you can get to these boxes on 443 from anywhere 2. Nfuse and CSG =
>box =3D
> >has 80, 443 and 1494 access to Metaframe Server on internal network.
> >
> >I have checked and doubled checked that all ports and access is open =
>and =3D
> >working correctly.
> >
> >I dont need External access to my metaframe box, right? That then =
>=3D3D =3D
> >defeats the purpose of CSG, right? The only access to the metaframe =
>=3D
> >server is =3D3D from the Nfuse/CSG box in the DMZ.
> >
> >Like I said before, I can log in - get the published app. list (I know =
>=3D
> >=3D3D this is all done on XML - port 80) but the minute I click on the =
>=3D
> >publish app.
> >
> >Maybe its time to call Citrix themselves, I dont know what else to look =
>=3D
> >=3D3D at.
> >
> >- -----Original Message-----
> >From: Chris Hardy
> >To: 'thin@xxxxxxxxxxxxx'
> >Sent: 13/03/03 9:01
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the sp =
>=3D
> >ecified address.
> >
> >
> >Thanks Richard - will check on that - something I didnt even think of.
> >
> >- -----Original Message-----
> >From: Manley, Richard [mailto:RManley@xxxxxxxxxxxxxxxx]
> >Sent: Thursday, 13 March 2003 12:46 AM
> >To: 'thin@xxxxxxxxxxxxx'
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the sp =
>=3D
> >ecified address.
> >
> >
> >
> >I can't remember now but when we set this up we had a problem where our =
>=3D
> >certificate authority issued the certificate as csg rather than =3D
> >csg.company.com. I think we had issues with this that created the =
>above =3D
> >error
> >
> >- -----Original Message-----
> >From: Steve Snyder [mailto:steven_snyder@xxxxxxxxx]
> >Sent: 12 March 2003 06:04
> >To: thin@xxxxxxxxxxxxx
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the sp =
>=3D
> >ecified address.
> >
> >
> >
> >In addition to using FQDN in the DNS, don't forget to
> >have the domain name as part of the server's fully
> >qualified name as well - System Properties, Network Identification, =
>Full =3D
> >Computer Name
> >
> >- --- Chris Hardy <Chris.Hardy@xxxxxxxxxxxxx> wrote:
> > >=3D3D20
> > > Thanks Roger. I've been down that track. The SSL
> > > relay FQDN is right and
> > > ofcourse the name/ip address of the metaframe server
> > > is encrypted with the
> > > STA and CSG stuff.
> >
> >__________________________________________________
> >Do you Yahoo!?
> >Yahoo! Web Hosting - establish your business online =3D
> >http://webhosting.yahoo.com
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.=3D3D20
> >Get 30-40% more users per server to save $$$ and time.=3D3D20
> >Add users now! - not more servers. If you're using Citrix,=3D3D20 you =
>must =3D
> >learn about TScale! Free 30-day eval: =3D
> >http://www.rtosoft.com/Enter.asp?ID=3D3D3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or=3D3D20
> >set Digest or Vacation mode use the below link: =3D
> >http://thethin.net/citrixlist.cfm =3D3D20 This e-mail and any =
>attachments =3D
> >are CONFIDENTIAL and may contain legally privileged information. If =
>you =3D
> >are not the intended recipient of this e-mail message, please telephone =
>=3D
> >or e-mail us immediately, delete this message from your system and do =
>=3D
> >not read, copy, distribute, disclose or otherwise use this e-mail =3D
> >message and any attachments. Although Heath Lambert believes this =
>e-mail =3D
> >and any attachments to be free of any virus or other defect which may =
>=3D
> >affect your computer, it is the responsibility of the recipient to =3D
> >ensure that it is virus free and Heath Lambert does not accept any =3D
> >responsibility for any loss or damage arising in any way from its use. =
>=3D
> >Finally, you should be aware that Heath Lambert reserves the right and =
>=3D
> >intends to intercept and monitor incoming and outgoing e-mail =3D
> >correspondence, so you should not expect any e-mail communications to =
>be =3D
> >private in nature.
> >
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.=3D3D20
> >Get 30-40% more users per server to save $$$ and time.=3D3D20
> >Add users now! - not more servers. If you're using Citrix,=3D3D20 you =
>must =3D
> >learn about TScale! Free 30-day eval: =3D
> >http://www.rtosoft.com/Enter.asp?ID=3D3D3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or=3D3D20
> >set Digest or Vacation mode use the below link: =3D
> >http://thethin.net/citrixlist.cfm
> >
> >
> >************************************************************************=
>
> >MIMEsweeper has been used to check this email for security
> >************************************************************************=
>
> >
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.=3D3D20
> >Get 30-40% more users per server to save $$$ and time.=3D3D20
> >Add users now! - not more servers. If you're using Citrix,=3D3D20 you =
>must =3D
> >learn about TScale! Free 30-day eval: =3D
> >http://www.rtosoft.com/Enter.asp?ID=3D3D3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or=3D3D20
> >set Digest or Vacation mode use the below link: =3D
> >http://thethin.net/citrixlist.cfm
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.=3D3D20
> >Get 30-40% more users per server to save $$$ and time.=3D3D20
> >Add users now! - not more servers. If you're using Citrix,=3D3D20 you =
>must =3D
> >learn about TScale! Free 30-day eval: =3D
> >http://www.rtosoft.com/Enter.asp?ID=3D3D3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or=3D3D20
> >set Digest or Vacation mode use the below link: =3D
> >http://thethin.net/citrixlist.cfm
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.=3D20
> >Get 30-40% more users per server to save $$$ and time.=3D20
> >Add users now! - not more servers. If you're using Citrix,=3D20
> >you must learn about TScale! Free 30-day eval: =3D
> >http://www.rtosoft.com/Enter.asp?ID=3D3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or=3D20
> >set Digest or Vacation mode use the below link: =3D
> >http://thethin.net/citrixlist.cfm
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: PGP 8.0
> >Comment: Public PGP key for Chris Lynch
> >
> >iQA/AwUBPnAg7G9fg+xq5T3MEQL7dACdH4B8lzsZ5I3C2m954XxqQeKaYD8AnR9Z
> >qYVPtjY0YycV+o7iygnq3yQg
> >=3D3DIckx
> >-----END PGP SIGNATURE-----
> >
> >
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.
> >Get 30-40% more users per server to save $$$ and time.
> >Add users now! - not more servers. If you're using Citrix,
> >you must learn about TScale! Free 30-day eval:
> >http://www.rtosoft.com/Enter.asp?ID=3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or
> >set Digest or Vacation mode use the below link:
> >http://thethin.net/citrixlist.cfm
>
>
>_________________________________________________________________
>The new MSN 8: smart spam protection and 2 months FREE* =20
>http://join.msn.com/?page=3Dfeatures/junkmail
>
>*********************************************************
>This Week's Sponsor - RTO Software / TScale
>TScale increases terminal server capacity.=20
>Get 30-40% more users per server to save $$$ and time.=20
>Add users now! - not more servers. If you're using Citrix,=20
>you must learn about TScale! Free 30-day eval:
>http://www.rtosoft.com/Enter.asp?ID=3D79
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or=20
>set Digest or Vacation mode use the below link:
>http://thethin.net/citrixlist.cfm
>*********************************************************
>This Week's Sponsor - RTO Software / TScale
>TScale increases terminal server capacity.
>Get 30-40% more users per server to save $$$ and time.
>Add users now! - not more servers. If you're using Citrix,
>you must learn about TScale! Free 30-day eval:
>http://www.rtosoft.com/Enter.asp?ID=79
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:
>http://thethin.net/citrixlist.cfm
_________________________________________________________________
Help STOP SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
*********************************************************
This Week's Sponsor - RTO Software / TScale
TScale increases terminal server capacity.
Get 30-40% more users per server to save $$$ and time.
Add users now! - not more servers. If you're using Citrix,
you must learn about TScale! Free 30-day eval:
http://www.rtosoft.com/Enter.asp?ID=79
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
