[THIN] Re: RePost - WI/SG with multiple AD
- To: <thin@xxxxxxxxxxxxx>
- Date: Sun, 21 Sep 2003 01:00:29 +0200
Thanks for all the info, I'm posting the reply from Citrix on this matter:
<quote>
Unfortunately Secure Gateway can be configured only with a single default
destination for proxied HTTP traffic, which means for each SG server in the
first DMZ there can be only one WI server.
If your WI server is running IIS, you can't host multiple WI sites with
different configurations. So you'll need two WI servers and hence two SG
servers as well.
But if you switch to Web Interface for UNIX, you will be able to host multiple
WI sites on a single server, each with their own NFuse.conf file. (This is a
benefit we get from using the WAR file format.) Taking this approach, you could
set up a default page with a pair of links allowing the users to select their
farm before continuing to their chosen WI login page.
If you want to stick with Web Interface on Windows, your quickest solution will
be to set up a second SG server with its own FQDN and its own certificate and
point each SG server to a different WI server.
Both SG servers could share a single SG proxy server, if that helps.
</quote>
---
mvh/yours
Anders Hansen-Øvre
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> Sent: 19. september 2003 18:06
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: RePost - WI/SG with multiple AD
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Well, you cannot have just one URL for both servers if they
> are going to support two different AD domains. You need to
> have two different DNS entries (one for each WI server).
>
> Chris
>
> - -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]
> Sent: Friday, September 19, 2003 12:50 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: RePost - WI/SG with multiple AD
>
> Well, the situation:
>
> We want to install a CSG server in the DMZ on the first
> firewall. This will be the front-end for the unsecure users.
> We want to install 2 different WI servers in the DMZ on the
> second firewall along with a SG Proxy server.
> The 2 WI servers will service 2 separate farms with separate
> AD. The secure networks are located on the second firewall
> (isolated from each other).
>
> My problem is how to get the SG server to send the user to
> the correct WI server for that user. If a user that need to
> access Farm1 starts a
> https://some.web.server/Citrix/MetaFrameXP to the SG server
> (which is the front-end) how can I make sure that user
> accesses the correct WI server?
>
> - ---
> mvh/yours
> Anders Hansen-Øvre
>
> - -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Chris Lynch
> Sent: 19. september 2003 00:56
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: RePost - WI/SG with multiple AD
>
>
>
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Um, are you sure about this? Since when did the STA provide
> user account authentication? The MF server always
> authenticates the user account.
>
> You should need 2 one way trusts setup. Otherwise, how is
> the MF server going to know what domain to authenticate the
> user account to?
>
> (NOTE: All of that should be provided by the XML service.)
>
> Otherwise, you will need two independent WI servers, and you
> can use one CSG server if you wish.
>
> Chris
>
> - - -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Nick Crisp
> Sent: Thursday, September 18, 2003 3:46 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: RePost - WI/SG with multiple AD
>
> Have you added the STA from both farms to WI list?
> Have you given XML access from both farms back to the WI?
>
> The authentication credentials should be passed to the
> available STA's in the WI list until successful. So forcing
> should not be necessary
>
> - - -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Anders Hansen-Øvre
> Sent: Thursday, 18 September 2003 5:38 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: RePost - WI/SG with multiple AD
>
> When I try to configure the WI to access 2 different farms
> and add the two domains in under auth the WI never
> authenticates the user correctly. It always says bad
> username/password.
>
> Is there a way to force the connections to a defined farm
> based on the select domain name perhaps ?
>
> - - ---
> mvh/yours
> Anders Hansen-Øvre, Seniorkonsulent
>
> - - -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Nick Crisp
> Sent: 18. september 2003 09:00
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: RePost - WI/SG with multiple AD
>
>
> While I haven't specifically got it working in this way (so I
> may be a little off) I did have Nfuse2(WI) accessing to
> completely separate domains one through the CSG and the other
> through regular 1494
>
> However the CSG can have multiple STAs and WI can
> authenticate on multiple domains so I believe it should work,
> The WI and CSG need not be associated with either domain
>
> WI uses the XML service to talk with the MF server for
> authentication... so it requires no trust
>
> Basically my WI server and my CSG server are in there own
> separate subnet/domain there is no trust whatsoever between
> them and the MetaframeFarm and its Domain controller/STA server
>
> - - -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Anders Hansen-Øvre
> Sent: Thursday, 18 September 2003 4:45 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: RePost - WI/SG with multiple AD
>
> But to get WI to auth with multiple domain we would need to
> establish trust between them, as far as i know. Is it
> possable to install multiple SG instanses on one server
> without using VMWare ?
>
> - - ---
> mvh/yours
> Anders Hansen-Øvre, Seniorkonsulent
>
> - - -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Nick Crisp
> Sent: 18. september 2003 03:24
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: RePost - WI/SG with multiple AD
>
>
> WI can authenticate with multiple domains
>
> WI /---SN1 MF Farm1
> - - --internet--<FW>--|--<FW>
> SG \---SN2 MF Farm2
>
> - - -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Anders Hansen-Øvre
> Sent: Thursday, 18 September 2003 4:37 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] RePost - WI/SG with multiple AD
>
> Hi all, I have a question regarding the installation of WI and SG.
>
> Scenario:
>
>
> |------<Secure network 1>
> --internet--<FW>------<FW>----<Secure network 2>
> | |
> SG WI and SG Proxy
>
> Using this configuration we are able to give external access
> to one of the secure networks. What is the best way to give
> WI access to 2 different farms (with different AD) without
> using WIE with a double-hop DMZ ?
>
> One solution is to install one SG and WI for each farm/ad
> your want to give access to but in that case we will need 2
> servers per farm. Establishing trust between them can't be done.
>
> Anyone have a good solution?
>
> - - ---
> mvh/yours
> Anders
> ********************************************************
> This Week's Sponsor: ThinPrint
> http://www.thinprint.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thethin.net/links.cfm
>
> For Archives, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link: http://thethin.net/citrixlist.cfm
>
>
>
> ********************************************************
> This Week's Sponsor: ThinPrint
> http://www.thinprint.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thethin.net/links.cfm
>
> For Archives, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link: http://thethin.net/citrixlist.cfm
> ********************************************************
> This Week's Sponsor: ThinPrint
> http://www.thinprint.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thethin.net/links.cfm
>
> For Archives, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link: http://thethin.net/citrixlist.cfm
>
>
>
> ********************************************************
> This Week's Sponsor: ThinPrint
> http://www.thinprint.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thethin.net/links.cfm
>
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
> ********************************************************
> This Week's Sponsor: ThinPrint
> http://www.thinprint.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thethin.net/links.cfm
>
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thethin.net/citrixlist.cfm
>
>
>
> ********************************************************
> This Week's Sponsor: ThinPrint
> http://www.thinprint.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thethin.net/links.cfm
>
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: Public PGP key for Chris Lynch
iQA/AwUBP2o3/29fg+xq5T3MEQKukACgtWwG/IbN1zejaHuznhvleChD0bEAoMHQ
5ZLXUqDdxu3TVyKSShHqMm7S
=kk4V
- -----END PGP SIGNATURE-----
********************************************************
This Week's Sponsor: ThinPrint
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor: ThinPrint
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: Public PGP key for Chris Lynch
iQA/AwUBP2spa29fg+xq5T3MEQK56gCfUWz5vwMWjCSQUaHiQhW479e41EYAnjL8
0znU77fshaKfX61bfWzNR6pz
=Ck+M
-----END PGP SIGNATURE-----
********************************************************
This Week's Sponsor: ThinPrint
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor: ThinPrint
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
