Before you start throwing money at this, you might just change the port for ICA. Only running published applications is a good thing also. This all depends on how seriously you want to address this problem. I just thought I'd put out some quick fix ideas that don't require a budget. John Carver MCSE, CCEA, MCT, CCI, DAD -MetaFrame XP Practice Exams at www.LearnCitrix.com - -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch Sent: Wednesday, August 21, 2002 3:57 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: How can I keep people from seeing my server -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Correct. The only costs you will have to inherite is for the hardware you may have to purchase and the SSL certificates for the CSG and the Nfuse site (which are two certs). CHRIS LYNCH - MCSE, CCNA, CCA NETWORK ENGINEER - INFORMATION TECHNOLOGY NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691 Chris.lynch@xxxxxxxxxx Tel 949.367.3406 - -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Hathaway Sent: Wednesday, August 21, 2002 3:45 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: How can I keep people from seeing my server CSG, allows you to only expose port 443 for external access, as opposed to the now well known 1494 for citrix connections. If you have XPe systems that you want to allow external access too, you may very well want to take a look at Nfuse, and CSG. You can get them without any additional costs from https://secureportal.citrix.com/MyCitrix/cds/host.dll?page=login&actio n=disp lay HTH J - -----Original Message----- From: Adam_Baum@xxxxxxxxxxxxx [mailto:Adam_Baum@xxxxxxxxxxxxx] Sent: Wednesday, August 21, 2002 3:21 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: How can I keep people from seeing my server Yes. No one has succeeded in logging in since they don't have a valid account. I wouldn't say completely exposed. Our router filters out all traffic except port 1494. It's very hard for us to do VPN because too many users have too many machines (I have 5). We also let our external business partners in (just a teeny bit) via metaframe. We don't have the $$$ for a good hardware VPN solution. Also, depening on which VPN solution you use, most of our users don't have static IP addresses. As for CSG, I am not familiar with it but if it's connected to the Internet, people can hack it too. "Chris Lynch" <lynch00@xxxxxx To: <thin@xxxxxxxxxxxxx> t> cc: Sent by: Subject: [THIN] Re: How can I keep people from seeing my server thin-bounce@fre elists.org 08/21/2002 03:12 PM Please respond to thin - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You mean someone is trying to login to your MF server when it is completely exposed to the Internet? Why don't you have CSG implemented, or only allow access for external users througha VPN connection? There are many hack techniques out there that someone "could" bring your server down, or worse gain access and steal data. Just my humble opinion. CHRIS LYNCH - MCSE, CCNA, CCA NETWORK ENGINEER - INFORMATION TECHNOLOGY NRT Incorporated, 27271 Las Ramblas, Mission Viejo, CA 92691 Chris.lynch@xxxxxxxxxx Tel 949.367.3406 - - -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Adam_Baum@xxxxxxxxxxxxx Sent: Wednesday, August 21, 2002 2:57 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] How can I keep people from seeing my server HI Folks, On a W2K SP2, XPe FR2 system. I've disabled all the "respond to ICA broadcasts" and I've unchecked all the the "Create browser listener on ...". I'm still getting invalid logons. These don't look targeted. More like something is broadcasting/responding. My MF 1.8 server doesn't do this and I can't determine what is different between them. I should mention that these servers are used for remote access so they are Internet connected. Other than the farm checkbox of repsonding to RAS broadcasts (won't let me disable it), everything appears to be setup correctly. Given that my servers are 1 ip address away from each other, I can't see how one is getting hit (on purpose) and not the other. I've also made sure the router is configured the same for both ports. Any ideas? adam =================================== This weeks Sponsor: ThinPrint - - High resolution, DRIVER FREE PRINTING with no loss of quality in color. - - Removes print spooling and rendering tasks from your terminal server. http://www.thinprint.com =================================== For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm =================================== This weeks Sponsor: ThinPrint - - High resolution, DRIVER FREE PRINTING with no loss of quality in color. - - Removes print spooling and rendering tasks from your terminal server. http://www.thinprint.com =================================== For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPWQaofl56xfvzmMfEQIq9ACfeloVpgtgCCKQwDrW643horhjTakAn1VB 1As5KfNXvR38mRcO8/qtX+aG =viCM -----END PGP SIGNATURE----- =================================== This weeks Sponsor: ThinPrint - High resolution, DRIVER FREE PRINTING with no loss of quality in color. - Removes print spooling and rendering tasks from your terminal server. http://www.thinprint.com =================================== For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm =================================== This weeks Sponsor: ThinPrint - High resolution, DRIVER FREE PRINTING with no loss of quality in color. - Removes print spooling and rendering tasks from your terminal server. http://www.thinprint.com =================================== For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link. http://thethin.net/citrixlist.cfm