[THIN] Re: NFUSE and NAT

• From: "Jim Hathaway" <JimH@xxxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Fri, 9 May 2003 11:43:30 -0700

Jay,=20

I'm thinking from your previous posts that you're mixing up SSL
certificates (assigned to your external Nfuse and CSG servers) with the
ticketing process of the STA.

With any implementation of SG, a recognized 3rd party SSL Certificate
(Verisign, Thawte, Geotrust, etc...) to protect your Nfuse site, and
your SG server itself are indeed highly recommended. (you can do the
same process with certificates from private cert providers like MS's
cert server, but it's a bit of a pain)

You can indeed run your STA on a metaframe server. Many people do this.
It will require that IIS be installed on the metaframe server, and that
this server is accessible from the DMZ via port 80 (default Http).

The bottem line is that Citrix's SG solution is pretty much a closed
package. The only 3rd party piece that's really needed for it to
function properly would be a set of valid SSL certificates. And of
course a correctly setup DMZ.

Checkout citrix's pdf on the architecture, it's not too difficult to
figure out the whole process of traffic in a SG config once you read
through their docs on it.=20

Go to http://support.citrix.com

And search for CTX18604

HTH

J


-----Original Message-----
From: Jensen, Jay [mailto:jjensen@xxxxxxxxx]=20
Sent: Friday May 09, 2003 10:48 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: NFUSE and NAT


Can you run STA on a MetaFrame ssrver or is this not recommended.  jay

-----Original Message-----
From: Carlos Sanabria [mailto:csanabria@xxxxxxx]
Sent: Thursday, May 08, 2003 9:58 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: NFUSE and NAT



Jay,

The STA is NOT a Certficate Authority and DOES NOT give out PKI
Certificates, what it does is generate tickets so that users never know
the
actual IP Address of the MetaFrame Servers, and no Username/Password
information travels through the insecure network or the Internet
(although,
you COULD use Nfuse ticketing which would protect the Username/Password
but
not the MF Internal IP Address).

The STA is MANDATORY and is no 3rd party can provide a substitute if you
use
Citrix Secure Gateway in normal mode (there is a relay mode that does
not
need the STA, but should only be used in specific scenarios).

Bottom line, your Engineering team SHOULD read the CSG Administrator's
Guide. Or even better, help out your friends and hire a Citrix
Consultant in
your area. :-)

Cheers,

Carlos Sanabria, CCA, MCSA
IT Consultant

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf
Of Jensen, Jay
Sent: Thursday, May 08, 2003 9:36 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: NFUSE and NAT



Sorry if I am mistaken but I do not do any of the security and I depend
on
others for this environment.  I was told by a person that is engineering
our
Secure Gateway that for the STA server that should be used is a 3rd
party
secure server external to the company and that external company would
act as
our Certificate Authority server.  From what they explained to me that
this
CA server would act as my Secure Ticket Authority. =20

IF they are giving me an incorrect engineered environment, I need to
understand what that may be so I can question their solution.  That is
the
basis of my question.  I have my doubts that this is the right approach.
From what you just told me it sounds like their engineered method will
not
work. =20

Is this correct?

Thanks again.=20
Jay

-----Original Message-----
From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx]
Sent: Thursday, May 08, 2003 9:27 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: NFUSE and NAT



Jay, I'm not sure I understand.  Your STA is a machine, usually
internal,
that handles the authentication steps.  It has the STA piece of Secure
Gateway installed.  If what you are asking about is the secure
certificate(s) needed, then that is a whole different ballgame.  We
generate
our own, but it does cause problems.  They are no more or less secure
than
any other 128bit certificate, but you have to have your root added as a
Trusted Root CA on every client machine.  In some cases that is a real
pain.
Had I the chance to do it over again, I might choose a different route
and
just cough up the cash.

-Paul

> ----------
> From:         Jensen, Jay[SMTP:jjensen@xxxxxxxxx]
> Reply To:     thin@xxxxxxxxxxxxx
> Sent:         Thursday, May 08, 2003 10:22 AM
> To:   'thin@xxxxxxxxxxxxx'
> Subject:      [THIN] Re: NFUSE and NAT
>=20
>=20
> This a question for all of you.
>=20
> In the Citrix Secure Gateway environment, a question came up that I=20
> would like your expert opinions. An assumption is that we have a=20
> secure external firewall, DMZ, and secure internal firewall.
>=20
> The Secure Ticket Authority (STA).  Is it more secure to install your=20
> own internal STA server versus using a 3rd-Party Certificate Authority

> from an external secure CA?
>=20
> What are the arguments either way?
>=20
> Thanks in advance.
> Jay
>=20
> -----Original Message-----
> From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx]
> Sent: Thursday, May 08, 2003 9:03 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: NFUSE and NAT
>=20
>=20
>=20
> Sure, you will just need to use the ALTADDR for the MF servers.
>=20
> -Paul
>=20
> > ----------
> > From:       Trygve Ryslett[SMTP:trygve.ryslett@xxxxxxx]
> > Reply To:   thin@xxxxxxxxxxxxx
> > Sent:       Thursday, May 08, 2003 10:00 AM
> > To:         thin@xxxxxxxxxxxxx
> > Subject:    [THIN] NFUSE and NAT
> >=20
> >=20
> > Is this possible ? How ?
> > The firm have a Cisco router with NAT, and wants to be able to reach

> > the NFUSE/MF servers over NAT connection via router..
> >=20
> >=20
> >=20
> > Trygve
> >=20
> > ********************************************************
> > This Week's Sponsor - Emergent Online
> > EOL's Universal Printer new Features include:
> > Network Printing, Pagestreaming, 2400 DPI.
> > No Client Software Required!
> > http://www.go-eol.com/
> > **********************************************************
> >=20
> > For Archives, to Unsubscribe, Subscribe or
> > set Digest or Vacation mode use the below link:
> > http://thethin.net/citrixlist.cfm
> >=20
> ********************************************************
> This Week's Sponsor - Emergent Online
> EOL's Universal Printer new Features include:
> Network Printing, Pagestreaming, 2400 DPI.
> No Client Software Required!
> http://www.go-eol.com/
> **********************************************************
>=20
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
> ********************************************************
> This Week's Sponsor - Emergent Online
> EOL's Universal Printer new Features include:
> Network Printing, Pagestreaming, 2400 DPI.
> No Client Software Required!
> http://www.go-eol.com/
> **********************************************************
>=20
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
>=20
********************************************************
This Week's Sponsor - Emergent Online
EOL's Universal Printer new Features include:
Network Printing, Pagestreaming, 2400 DPI.
No Client Software Required!
http://www.go-eol.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Emergent Online
EOL's Universal Printer new Features include:
Network Printing, Pagestreaming, 2400 DPI.
No Client Software Required!
http://www.go-eol.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.474 / Virus Database: 272 - Release Date: 4/18/2003
=20

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.474 / Virus Database: 272 - Release Date: 4/18/2003
=20

********************************************************
This Week's Sponsor - Emergent Online
EOL's Universal Printer new Features include:
Network Printing, Pagestreaming, 2400 DPI.
No Client Software Required!
http://www.go-eol.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Emergent Online
EOL's Universal Printer new Features include:
Network Printing, Pagestreaming, 2400 DPI.
No Client Software Required!
http://www.go-eol.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or=20
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Emergent Online
EOL's Universal Printer new Features include:
Network Printing, Pagestreaming, 2400 DPI.
No Client Software Required!
http://www.go-eol.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

• » [THIN] NFUSE and NAT
• » [THIN] Re: NFUSE and NAT
• » [THIN] Re: NFUSE and NAT
• » [THIN] Re: NFUSE and NAT
• » [THIN] Re: NFUSE and NAT
• » [THIN] Re: NFUSE and NAT
• » [THIN] Re: NFUSE and NAT
• » [THIN] Re: NFUSE and NAT
• » [THIN] Re: NFUSE and NAT
• » [THIN] Re: NFUSE and NAT
• » [THIN] Re: NFUSE and NAT
• » [THIN] Re: NFUSE and NAT
• » [THIN] Re: NFUSE and NAT

1. Home
2. thin
3. Archive
4. 05-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---