[THIN] Re: NFUSE and NAT
- From: "Jensen, Jay" <jjensen@xxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Thu, 8 May 2003 09:46:51 -0500
Thanks Paul. I feel the same way, that is the reason for the question. I
will take your advice and get a better explanation like you suggested. It
is really appreciated and thanks much. Jay
-----Original Message-----
From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx]
Sent: Thursday, May 08, 2003 9:40 AM
To: 'thin@xxxxxxxxxxxxx'
Subject: [THIN] Re: NFUSE and NAT
I've never heard of anything like that, and can't concieve why you would
want your STA at a 3rd party site. It would needlessly complicate things in
my view. I don't know that it wouldn't work, I just don't understand why
they would do it. Having purchased an external certificate from a 3rd party
CA is one thing. Having your STA be some 3rd party machine is just strange.
I'd ask them to explain it again and give you some good diagrams about what
is going where. Your STA should be internal to your network (i.e. inside
your internal firewall).
-Paul
> ----------
> From: Jensen, Jay[SMTP:jjensen@xxxxxxxxx]
> Reply To: thin@xxxxxxxxxxxxx
> Sent: Thursday, May 08, 2003 10:35 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: NFUSE and NAT
>
>
> Sorry if I am mistaken but I do not do any of the security and I depend on
> others for this environment. I was told by a person that is engineering
> our
> Secure Gateway that for the STA server that should be used is a 3rd party
> secure server external to the company and that external company would act
> as
> our Certificate Authority server. From what they explained to me that
> this
> CA server would act as my Secure Ticket Authority.
>
> IF they are giving me an incorrect engineered environment, I need to
> understand what that may be so I can question their solution. That is the
> basis of my question. I have my doubts that this is the right approach.
> From what you just told me it sounds like their engineered method will not
> work.
>
> Is this correct?
>
> Thanks again.
> Jay
>
> -----Original Message-----
> From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx]
> Sent: Thursday, May 08, 2003 9:27 AM
> To: 'thin@xxxxxxxxxxxxx'
> Subject: [THIN] Re: NFUSE and NAT
>
>
>
> Jay, I'm not sure I understand. Your STA is a machine, usually internal,
> that handles the authentication steps. It has the STA piece of Secure
> Gateway installed. If what you are asking about is the secure
> certificate(s) needed, then that is a whole different ballgame. We
> generate
> our own, but it does cause problems. They are no more or less secure than
> any other 128bit certificate, but you have to have your root added as a
> Trusted Root CA on every client machine. In some cases that is a real
> pain.
> Had I the chance to do it over again, I might choose a different route and
> just cough up the cash.
>
> -Paul
>
> > ----------
> > From: Jensen, Jay[SMTP:jjensen@xxxxxxxxx]
> > Reply To: thin@xxxxxxxxxxxxx
> > Sent: Thursday, May 08, 2003 10:22 AM
> > To: 'thin@xxxxxxxxxxxxx'
> > Subject: [THIN] Re: NFUSE and NAT
> >
> >
> > This a question for all of you.
> >
> > In the Citrix Secure Gateway environment, a question came up that I
> would
> > like your expert opinions. An assumption is that we have a secure
> external
> > firewall, DMZ, and secure internal firewall.
> >
> > The Secure Ticket Authority (STA). Is it more secure to install your
> own
> > internal STA server versus using a 3rd-Party Certificate Authority from
> an
> > external secure CA?
> >
> > What are the arguments either way?
> >
> > Thanks in advance.
> > Jay
> >
> > -----Original Message-----
> > From: Stansel, Paul [mailto:Paul.Stansel@xxxxxxxxxxxxx]
> > Sent: Thursday, May 08, 2003 9:03 AM
> > To: 'thin@xxxxxxxxxxxxx'
> > Subject: [THIN] Re: NFUSE and NAT
> >
> >
> >
> > Sure, you will just need to use the ALTADDR for the MF servers.
> >
> > -Paul
> >
> > > ----------
> > > From: Trygve Ryslett[SMTP:trygve.ryslett@xxxxxxx]
> > > Reply To: thin@xxxxxxxxxxxxx
> > > Sent: Thursday, May 08, 2003 10:00 AM
> > > To: thin@xxxxxxxxxxxxx
> > > Subject: [THIN] NFUSE and NAT
> > >
> > >
> > > Is this possible ? How ?
> > > The firm have a Cisco router with NAT, and wants to be able to reach
> the
> > > NFUSE/MF servers over NAT connection via router..
> > >
> > >
> > >
> > > Trygve
> > >
> > > ********************************************************
> > > This Week's Sponsor - Emergent Online
> > > EOL's Universal Printer new Features include:
> > > Network Printing, Pagestreaming, 2400 DPI.
> > > No Client Software Required!
> > > http://www.go-eol.com/
> > > **********************************************************
> > >
> > > For Archives, to Unsubscribe, Subscribe or
> > > set Digest or Vacation mode use the below link:
> > > http://thethin.net/citrixlist.cfm
> > >
> > ********************************************************
> > This Week's Sponsor - Emergent Online
> > EOL's Universal Printer new Features include:
> > Network Printing, Pagestreaming, 2400 DPI.
> > No Client Software Required!
> > http://www.go-eol.com/
> > **********************************************************
> >
> > For Archives, to Unsubscribe, Subscribe or
> > set Digest or Vacation mode use the below link:
> > http://thethin.net/citrixlist.cfm
> > ********************************************************
> > This Week's Sponsor - Emergent Online
> > EOL's Universal Printer new Features include:
> > Network Printing, Pagestreaming, 2400 DPI.
> > No Client Software Required!
> > http://www.go-eol.com/
> > **********************************************************
> >
> > For Archives, to Unsubscribe, Subscribe or
> > set Digest or Vacation mode use the below link:
> > http://thethin.net/citrixlist.cfm
> >
> ********************************************************
> This Week's Sponsor - Emergent Online
> EOL's Universal Printer new Features include:
> Network Printing, Pagestreaming, 2400 DPI.
> No Client Software Required!
> http://www.go-eol.com/
> **********************************************************
>
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
> ********************************************************
> This Week's Sponsor - Emergent Online
> EOL's Universal Printer new Features include:
> Network Printing, Pagestreaming, 2400 DPI.
> No Client Software Required!
> http://www.go-eol.com/
> **********************************************************
>
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
>
********************************************************
This Week's Sponsor - Emergent Online
EOL's Universal Printer new Features include:
Network Printing, Pagestreaming, 2400 DPI.
No Client Software Required!
http://www.go-eol.com/
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor - Emergent Online
EOL's Universal Printer new Features include:
Network Printing, Pagestreaming, 2400 DPI.
No Client Software Required!
http://www.go-eol.com/
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
