[THIN] Re: Nfuse in DMZ

  • From: "Alexander Danilychev" <teknica@xxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Mon, 17 Mar 2003 09:51:45 -0800

Port 80 is used as a "first point of entry" from where user is redirected to 
SSLed login to NFuse - users should not be educated to type https://... or 
http:...:443 (you can also redirect users from another server to 
appropriatre port).

Regarding inbound port 80 on inside of DMZ:
SSL for XML service is highly desirable and should be always used if 
possible. The cost of certificates that will go on MetaFrame servers that 
run XML is irrelevant, since their client is NFuse server(s), which is 
perfect for home-grown certificates. Just register your private certificate 
authority with NFuse and you are ready to go.

Another desirable (I should say mandatory) thing is secure ICA from CSG (if 
you use one) to MetaFrame. If CSG is not used secure ICA is a must anyway.

There was ongoing discussion where to drop STAs. SSL encryption for STA is 
not required since there is no sensitive information being revealed and the 
server is on inside which prevents the threat of denial of service attacks 
on STA. Dropping STA behind DMZ on a separate box is an overkill. If it is 
dropped on MetaFrame (as some suggest) that has IIS for XML communications, 
then it should be SSLed together with XML to avoid unnecessary inbound 
traffic on port 80. This arrangement however is not so good, since downed 
MetaFrame boxes with STAs will bring disruption to STA generation (at least 
at the time they are going down). Multi-homed NFuse is a better place for 
STA, since IIS already installed and STA will be known and visible to NFuse 
and CSG only thus well protected. Again, break-ins are not as dangerous as 
denial of service.

So:
Inbound 80(s) and 443(s) at the outer edge of the DMZ for NFuse(s) 
(additional 443 for CSG if you use one).
Inbound 443 for XML traffic between NFuse and MetaFrame (behind DMZ).
Inbound 1494 for Secure ICA (CSG-->MetaFrame) or Inbound 1494 for Secure ICA 
for user-->DMZ-->MetaFrame.

Here benefit of Secure Gateway is apparent, since without Secure Gateway we 
have to open 1494 on inside and(!) outside of DMZ for all(!) MetaFrame boxes 
to be used with NFuse plus expose login screen for curious minds on 
Internet. Alongside other benefits is the fact that clients should not worry 
about outbound port 1494 on their respective firewalls.

ALEX

>From: "Roger Riggins" <Roger@xxxxxxxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: <thin@xxxxxxxxxxxxx>
>Subject: [THIN] Re: Nfuse in DMZ
>Date: Mon, 17 Mar 2003 08:26:42 -0600
>
>If you're using SSL/TLS for NFuse, you shouldn't need 80 open from the
>outside unless it's for other websites on that IP.
>
>Roger Riggins, A+ MCSE CCNA CCA
>ACES Systems Engineer
>* 319-287-3102
>* roger@xxxxxxxxxxxx
>
>
>-----Original Message-----
>From: Jamie Marshall [mailto:jamie.marshall@xxxxxxxxxxxxxxxxxxxx]
>Sent: Monday, March 17, 2003 6:42 AM
>To: 'thin@xxxxxxxxxxxxx'
>Subject: [THIN] Re: Nfuse in DMZ
>
>
>assuming you are running standard ports and just Nfuse....
>
>on the external ISA server open ports 80 and 443(if you are using
>SSL/TLS
>for the nfuse web site) to the Nfuse server and NAT appropriately if you
>are
>using NAT.  On the internal ISA server, open up port 80 from the Nfuse
>server to the Metaframe servers that are running XML, again, you may be
>using NAT.
>
>If you are using CSG its a bit more complicated, but not rocket science.
>
>Jamie
>
>-----Original Message-----
>From: Stuart Pittwood [mailto:SPittwood@xxxxxxxxxxxxxxxxx]
>Sent: 17 March 2003 09:24
>To: thin@xxxxxxxxxxxxx
>Subject: [THIN] Nfuse in DMZ
>
>
>Hi all,
>
>
>
>I have a back to back DMZ (MS ISA Server on both sides) with a web
>server in the middle.
>
>
>
>Can anyone point me to a good document detailing what needs to be done
>on the firewalls in order to have our web server run Nfuse classic and
>talk to the metaframe servers (XPa FR2) which are housed on the internal
>network.
>
>
>
>Thanks in advance
>
>
>
>Stu
>
>
>*********************************************************
>This Week's Sponsor - RTO Software / TScale
>TScale increases terminal server capacity.
>Get 30-40% more users per server to save $$$ and time.
>Add users now! - not more servers. If you're using Citrix,
>you must learn about TScale!  Free 30-day eval:
>http://www.rtosoft.com/Enter.asp?ID=79
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:
>http://thethin.net/citrixlist.cfm
>
>________________________________________________________________________
>This e-mail has been scanned for all viruses by Star Internet. The
>service is powered by MessageLabs. For more information on a proactive
>anti-virus service working around the clock, around the globe, visit:
>http://www.star.net.uk
>________________________________________________________________________
>
>
>************************************************************************
>**************
>THIS EMAIL AND ANY ATTACHED FILES IS/ARE CONFIDENTIAL
>AND LEGALLY PRIVILEGED. If you are not the addressee, any
>disclosure, reproduction, copying, distribution, or other dissemination
>or use of this communication is strictly prohibited. If you have
>received
>this transmission in error please notify Dataplex Systems Limited on
>+44 (0) 161 707 3355 immediately and then delete this email.
>
>Email transmission cannot be guaranteed to be secure or error free as
>information could arrive late or incomplete, or contain viruses.
>Dataplex
>Systems Limited therefore does not accept liability for any errors or
>omissions in the contents of this message which arise as a result of
>email transmission. If verification is required please request a hard
>copy
>version signed by or on behalf of Dataplex Systems Limited.
>
>Copyright in this email and any documents created by Dataplex Systems
>Limited will be and remain vested in Dataplex Systems Limited, we assert
>
>the right to be identified as the author of and to object to the misuse
>of
>this email and such documents.
>************************************************************************
>**************
>
>
>________________________________________________________________________
>This e-mail has been scanned for all viruses by Star Internet. The
>service is powered by MessageLabs. For more information on a proactive
>anti-virus service working around the clock, around the globe, visit:
>http://www.star.net.uk
>________________________________________________________________________
>*********************************************************
>This Week's Sponsor - RTO Software / TScale
>TScale increases terminal server capacity.
>Get 30-40% more users per server to save $$$ and time.
>Add users now! - not more servers. If you're using Citrix,
>you must learn about TScale!  Free 30-day eval:
>http://www.rtosoft.com/Enter.asp?ID=79
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:
>http://thethin.net/citrixlist.cfm
>
>-- No attachments (even text) are allowed --
>-- Type: text/x-vcard
>-- File: Roger Riggins.vcf
>-- Desc: Roger Riggins.vcf
>
>
>*********************************************************
>This Week's Sponsor - RTO Software / TScale
>TScale increases terminal server capacity.
>Get 30-40% more users per server to save $$$ and time.
>Add users now! - not more servers. If you're using Citrix,
>you must learn about TScale!  Free 30-day eval:
>http://www.rtosoft.com/Enter.asp?ID=79
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:
>http://thethin.net/citrixlist.cfm


_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail

*********************************************************
This Week's Sponsor - RTO Software / TScale
TScale increases terminal server capacity. 
Get 30-40% more users per server to save $$$ and time. 
Add users now! - not more servers. If you're using Citrix, 
you must learn about TScale!  Free 30-day eval:
http://www.rtosoft.com/Enter.asp?ID=79
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: