Jay,=20 I'm thinking from your previous posts that you're mixing up SSL certificates (assigned to your external Nfuse and CSG servers) with the ticketing process of the STA. With any implementation of SG, a recognized 3rd party SSL Certificate (Verisign, Thawte, Geotrust, etc...) to protect your Nfuse site, and your SG server itself are indeed highly recommended. (you can do the same process with certificates from private cert providers like MS's cert server, but it's a bit of a pain) You can indeed run your STA on a metaframe server. Many people do this. It will require that IIS be installed on the metaframe server, and that this server is accessible from the DMZ via port 80 (default Http). The bottem line is that Citrix's SG solution is pretty much a closed package. The only 3rd party piece that's really needed for it to function properly would be a set of valid SSL certificates. And of course a correctly setup DMZ. Checkout citrix's pdf on the architecture, it's not too difficult to figure out the whole process of traffic in a SG config once you read through their docs on it.=20 Go to http://support.citrix.com And search for CTX18604 HTH J -----Original Message----- From: Jensen, Jay [mailto:jjensen@xxxxxxxxx]=20 Sent: Friday May 09, 2003 10:48 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: NFUSE and NAT Can you run STA on a MetaFrame ssrver or is this not recommended. jay -----Original Message----- From: Carlos Sanabria [mailto:csanabria@xxxxxxx] Sent: Thursday, May 08, 2003 9:58 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: NFUSE and NAT Jay, The STA is NOT a Certficate Authority and DOES NOT give out PKI Certificates, what it does is generate tickets so that users never know the actual IP Address of the MetaFrame Servers, and no Username/Password information travels through the insecure network or the Internet (although, you COULD use Nfuse ticketing which would protect the Username/Password but not the MF Internal IP Address). The STA is MANDATORY and is no 3rd party can provide a substitute if you use Citrix Secure Gateway in normal mode (there is a relay mode that does not need the STA, but should only be used in specific scenarios). Bottom line, your Engineering team SHOULD read the CSG Administrator's Guide. Or even better, help out your friends and hire a Citrix Consultant in your area. :-) Cheers, Carlos Sanabria, CCA, MCSA IT Consultant -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jensen, Jay Sent: Thursday, May 08, 2003 9:36 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: NFUSE and NAT Sorry if I am mistaken but I do not do any of the security and I depend on others for this environment. I was told by a person that is engineering our Secure Gateway that for the STA server that should be used is a 3rd party secure server external to the company and that external company would act as our Certificate Authority server. From what they explained to me that this CA server would act as my Secure Ticket Authority. =20 IF they are giving me an incorrect engineered environment, I need to understand what that may be so I can question their solution. That is the basis of my question. I have my doubts that this is the right approach. From what you just told me it sounds like their engineered method will not work. =20 Is this correct? Thanks again.=20 Jay -----Original Message----- From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx] Sent: Thursday, May 08, 2003 9:27 AM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Re: NFUSE and NAT Jay, I'm not sure I understand. Your STA is a machine, usually internal, that handles the authentication steps. It has the STA piece of Secure Gateway installed. If what you are asking about is the secure certificate(s) needed, then that is a whole different ballgame. We generate our own, but it does cause problems. They are no more or less secure than any other 128bit certificate, but you have to have your root added as a Trusted Root CA on every client machine. In some cases that is a real pain. Had I the chance to do it over again, I might choose a different route and just cough up the cash. -Paul > ---------- > From: Jensen, Jay[SMTP:jjensen@xxxxxxxxx] > Reply To: thin@xxxxxxxxxxxxx > Sent: Thursday, May 08, 2003 10:22 AM > To: 'thin@xxxxxxxxxxxxx' > Subject: [THIN] Re: NFUSE and NAT >=20 >=20 > This a question for all of you. >=20 > In the Citrix Secure Gateway environment, a question came up that I=20 > would like your expert opinions. An assumption is that we have a=20 > secure external firewall, DMZ, and secure internal firewall. >=20 > The Secure Ticket Authority (STA). Is it more secure to install your=20 > own internal STA server versus using a 3rd-Party Certificate Authority > from an external secure CA? >=20 > What are the arguments either way? >=20 > Thanks in advance. > Jay >=20 > -----Original Message----- > From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx] > Sent: Thursday, May 08, 2003 9:03 AM > To: 'thin@xxxxxxxxxxxxx' > Subject: [THIN] Re: NFUSE and NAT >=20 >=20 >=20 > Sure, you will just need to use the ALTADDR for the MF servers. >=20 > -Paul >=20 > > ---------- > > From: Trygve Ryslett[SMTP:trygve.ryslett@xxxxxxx] > > Reply To: thin@xxxxxxxxxxxxx > > Sent: Thursday, May 08, 2003 10:00 AM > > To: thin@xxxxxxxxxxxxx > > Subject: [THIN] NFUSE and NAT > >=20 > >=20 > > Is this possible ? How ? > > The firm have a Cisco router with NAT, and wants to be able to reach > > the NFUSE/MF servers over NAT connection via router.. > >=20 > >=20 > >=20 > > Trygve > >=20 > > ******************************************************** > > This Week's Sponsor - Emergent Online > > EOL's Universal Printer new Features include: > > Network Printing, Pagestreaming, 2400 DPI. > > No Client Software Required! > > http://www.go-eol.com/ > > ********************************************************** > >=20 > > For Archives, to Unsubscribe, Subscribe or > > set Digest or Vacation mode use the below link: > > http://thethin.net/citrixlist.cfm > >=20 > ******************************************************** > This Week's Sponsor - Emergent Online > EOL's Universal Printer new Features include: > Network Printing, Pagestreaming, 2400 DPI. > No Client Software Required! > http://www.go-eol.com/ > ********************************************************** >=20 > For Archives, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > http://thethin.net/citrixlist.cfm > ******************************************************** > This Week's Sponsor - Emergent Online > EOL's Universal Printer new Features include: > Network Printing, Pagestreaming, 2400 DPI. > No Client Software Required! > http://www.go-eol.com/ > ********************************************************** >=20 > For Archives, to Unsubscribe, Subscribe or > set Digest or Vacation mode use the below link: > http://thethin.net/citrixlist.cfm >=20 ******************************************************** This Week's Sponsor - Emergent Online EOL's Universal Printer new Features include: Network Printing, Pagestreaming, 2400 DPI. No Client Software Required! http://www.go-eol.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - Emergent Online EOL's Universal Printer new Features include: Network Printing, Pagestreaming, 2400 DPI. No Client Software Required! http://www.go-eol.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.474 / Virus Database: 272 - Release Date: 4/18/2003 =20 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.474 / Virus Database: 272 - Release Date: 4/18/2003 =20 ******************************************************** This Week's Sponsor - Emergent Online EOL's Universal Printer new Features include: Network Printing, Pagestreaming, 2400 DPI. No Client Software Required! http://www.go-eol.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - Emergent Online EOL's Universal Printer new Features include: Network Printing, Pagestreaming, 2400 DPI. No Client Software Required! http://www.go-eol.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or=20 set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor - Emergent Online EOL's Universal Printer new Features include: Network Printing, Pagestreaming, 2400 DPI. No Client Software Required! http://www.go-eol.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm