[THIN] Re: SSL accelerator and Citrix Metaframe

  • From: "Alexander Danilychev" <teknica@xxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Thu, 13 Mar 2003 13:33:34 -0800

ICA traffic should be encrypted (CSG-->MetaFrame)
Traffic to CSG is proprietary thing when ICA client and CSG is involved in 
SSL-ing the connection - no help from accelerator.

If all your HTTP traffic goes through accelerator, you should probably use 
it with NFuse. Not much benefit there, since information transmitted in and 
out NFuse is very small in size.

Do not overlook XML encryption - most people will not do it, but SSL for XML 
between NFuse on DMZ and your selected MetaFrame boxes is highly 
recommended. That SSL iplementation is a good place for home-grown 
certificates ? you can provide NFuse box with a root key and do not need to 
pay anything.

ALEX


>From: "Sevillano, Raul" <SEVILLANOR@xxxxxxxxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
>Subject: [THIN] SSL accelerator and Citrix Metaframe
>Date: Thu, 13 Mar 2003 15:18:57 -0500
>
>Hi,
>Can the following scenario replace CSG.
>We have an Ingrian i225 SSL accelerator between the DMZ and the internal
>network. This box is going to host all the SSL certificates and terminating
>the encription at the box. The internal servers will only receive
>un-encripted data.
>Does this make sense? Can this be supported.
>Thanks
>
>
>
>-----Original Message-----
>From: Chris Lynch [mailto:lynch00@xxxxxxx]
>Sent: Thursday, March 13, 2003 2:04 PM
>To: thin@xxxxxxxxxxxxx
>Subject: [THIN] Re: Hold it!!!: There is no Citrix SSL Server configured on
>the sp ecified address.
>
>
>
>=20
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>You cannot use an SSL accelerator with CSG.  The whole purpose of an
>SSL accelerator is to process the SSL request on the cards CPU, off
>loading it from the main CPU.  If you do this, then the CSG will drop
>the packets because they are not wrapped with SSL.
>
>If you have a Single PIII 1GHz with 2GB of RAM, you should be able to
>support more than a few thousand client sessions at the same time
>with one CSG box.
>
>Chris
>
>- -----Original Message-----
>From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
>Behalf Of Sevillano, Raul
>Sent: Thursday, March 13, 2003 10:47 AM
>To: 'thin@xxxxxxxxxxxxx'
>Subject: [THIN] Re: Hold it!!!: There is no Citrix SSL Server
>configured on the sp ecified address.
>
>
>List,
>Simple question
>Do I need CSG if I have a SSL accelerator ....?=20
>
>
>- -----Original Message-----
>From: Alexander Danilychev [mailto:teknica@xxxxxxxxxxx]
>Sent: Thursday, March 13, 2003 1:55 AM
>To: thin@xxxxxxxxxxxxx
>Subject: [THIN] Hold it!!!: There is no Citrix SSL Server configured
>on the sp ecified address.
>
>
>
>- --------------------------
>Hey, guys, don't go nuts!
>- --------------------------
>
>1. Get STA away from MetaFrame to NFuse box.
>Secure "scripts" folder either by multi-homing or by IP restriction -
>STA=20
>should be visible only by NFuse and CSG.
>2. "Port sharing" is a bad term - do not use it (I guess it came from
>Citrix
>
>marketing not tech guys) - STA as well as XML implementation without=20
>listener runs in the scope of IIS, so no "port sharing" here. 3. XML
>service, that defaults to port 80 requires IIS, which makes since=20
>when you plan to use SSL to secure XML traffic and thus port 443, if=20
>security is not a concern(?!) - use XML service with it's own
>listener (in=20
>that case it actually runs as a service and you can see it among
>services=20
>applets).
>
>So:
>- --------------------------
>1. Install STA on the same box as NFuse (use multi-homing when
>everything=20
>works)
>2. Install CSG on a separate box. My recommendation is to install IIS
>for=20
>certificate installation and troubleshooting - disable IIS when
>starting=20
>CSG.
>3. On MetaFrame side have IIS installed (if you do not like it -
>install XML
>
>listener and run it as a service). I like IIS, since to secure XML
>service=20
>otherwise you will need to run Citrix SSL Relay (remember that one?)
>
>3 box solution (NFuse/STA, CSG and MetaFrame farm) - the easiest to=20
>implement and do not confuse yourself by hiding STA behind DMZ -
>original=20
>Citrix configuration is an overkill.
>
>Again, STA should leave on IIS system where stateless connections are
>the=20
>norm. Do not put STA or NFuse on boxes like CSG or MetaFrame where=20
>connections are always on, unless users can tolerate dropped
>connections.=20
>IIS on MetaFrames for XML is not an issue and is a better choyce for
>SSLed=20
>XML.
>
>ALEX
>
>
> >From: "Chris Lynch" <lynch00@xxxxxxx>
> >Reply-To: thin@xxxxxxxxxxxxx
> >To: <thin@xxxxxxxxxxxxx>
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the
> >sp ecified address.
> >Date: Wed, 12 Mar 2003 22:10:53 -0800
> >
> >
> >=3D20
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Ok.  I have run into this in the past, but I don't know if this is =3D=20
> >causing your problem.  If you have XML port sharing on your MetaFrame =
>=3D=20
> >server, then you will need to disable this.  You will move your IIS=20
> >port =3D from 80 to 81, and make sure that this rule has been changed =
>in=20
> >the =3D firewall to reflect this.  Also, to make sure you add this in =
>the=20
> >NFuse =3D page as http://servername:81/scripts/...  Also, reconfigure =
>the=20
> >CSG and =3D selected Advanced.  You will then be able to specify the =
>port=20
> >the STA is =3D listening on (default again is 80, change that to 81).  =
>On=20
> >your =3D MetaFrame box that hosts the STA, unregister the XML service =
>=3D=20
> >(CTXXMLS.EXE /U, or something like that), then re-register it with=20
> >/R80.
> >
> >Then, try it again.
> >
> >I have seen this happen on a MetaFrame XPe server running FR2/SP2, and=20
> >I =3D had to make this change for this to work properly.  I haven't =
>taken=20
> >the =3D time to investigate as to why, as I have installed CSG numerous =
>
> >times.  =3D Mainly, I have always had another server dedicated for the=20
> >STA.  Oh =3D well.
> >
> >Let me know how it goes.
> >
> >Chris
> >
> >- -----Original Message-----
> >From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On =
>=3D=20
> >Behalf Of Joe Shonk
> >Sent: Wednesday, March 12, 2003 9:32 PM
> >To: thin@xxxxxxxxxxxxx
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the sp=20
> >=3D ecified address.
> >
> >
> >
> >Do you have a seperate website in IIS for CSG (to install the =3D3D
> >certificate)
> >You do have seperate IP addresses bound to the NIC.  Once for IIS and =
>=3D=20
> >=3D3D one for CSG? You have disabled the IIS website for CSG (after =3D =
>
> >installing the =3D3D
> >certificate)
> >You have disabled Socket Pooling for IIS (this is required to get NFUSE =
>
> >=3D =3D3D and CSG to both utilize port 443 on the same server)
> >
> >Joe
> >
> >- -----Original Message-----
> >From: Chris Hardy [mailto:Chris.Hardy@xxxxxxxxxxxxx]
> >Sent: Wednesday, March 12, 2003 9:17 PM
> >To: 'thin@xxxxxxxxxxxxx'
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the sp=20
> >=3D ecified address.
> >
> >
> >
> >I've got no hair left!!
> >
> >I may be going mad but these are my firewall rules, I'm sure this is=20
> >all =3D =3D3D you need for a proper CSG solution.
> >
> >1. External access on port 443 to the Nfuse and CSG boxes (same box) -=20
> >=3D =3D3D you can get to these boxes on 443 from anywhere 2. Nfuse and =
>CSG=20
> >box =3D has 80, 443 and 1494 access to Metaframe Server on internal=20
> >network.
> >
> >I have checked and doubled checked that all ports and access is open=20
> >and =3D working correctly.
> >
> >I dont need External access to my metaframe box, right?  That then =
>=3D3D=20
> >=3D defeats the purpose of CSG, right?  The only access to the =
>metaframe=20
> >=3D server is =3D3D from the Nfuse/CSG box in the DMZ.
> >
> >Like I said before, I can log in - get the published app. list (I know=20
> >=3D =3D3D this is all done on XML - port 80) but the minute I click on =
>the=20
> >=3D publish app.
> >
> >Maybe its time to call Citrix themselves, I dont know what else to look =
>
> >=3D =3D3D at.
> >
> >- -----Original Message-----
> >From: Chris Hardy
> >To: 'thin@xxxxxxxxxxxxx'
> >Sent: 13/03/03 9:01
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the sp=20
> >=3D ecified address.
> >
> >
> >Thanks Richard - will check on that - something I didnt even think of.
> >
> >- -----Original Message-----
> >From: Manley, Richard [mailto:RManley@xxxxxxxxxxxxxxxx]
> >Sent: Thursday, 13 March 2003 12:46 AM
> >To: 'thin@xxxxxxxxxxxxx'
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the sp=20
> >=3D ecified address.
> >
> >
> >
> >I can't remember now but when we set this up we had a problem where our =
>
> >=3D certificate authority issued the certificate  as csg rather than =
>=3D=20
> >csg.company.com.  I think we had issues with this that created the=20
> >above =3D error
> >
> >- -----Original Message-----
> >From: Steve Snyder [mailto:steven_snyder@xxxxxxxxx]
> >Sent: 12 March 2003 06:04
> >To: thin@xxxxxxxxxxxxx
> >Subject: [THIN] Re: There is no Citrix SSL Server configured on the sp=20
> >=3D ecified address.
> >
> >
> >
> >In addition to using FQDN in the DNS, don't forget to
> >have the domain name as part of the server's fully
> >qualified name as well - System Properties, Network Identification,=20
> >Full =3D Computer Name
> >
> >- --- Chris Hardy <Chris.Hardy@xxxxxxxxxxxxx> wrote:
> > >=3D3D20
> > > Thanks Roger.  I've been down that track.  The SSL
> > > relay FQDN is right and
> > > ofcourse the name/ip address of the metaframe server
> > > is encrypted with the
> > > STA and CSG stuff.
> >
> >__________________________________________________
> >Do you Yahoo!?
> >Yahoo! Web Hosting - establish your business online =3D=20
> >http://webhosting.yahoo.com
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.=3D3D20
> >Get 30-40% more users per server to save $$$ and time.=3D3D20 Add users =
>
> >now! - not more servers. If you're using Citrix,=3D3D20 you must =3D =
>learn=20
> >about TScale!  Free 30-day eval: =3D=20
> >http://www.rtosoft.com/Enter.asp?ID=3D3D3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or=3D3D20
> >set Digest or Vacation mode use the below link: =3D=20
> >http://thethin.net/citrixlist.cfm =3D3D20 This e-mail and any =
>attachments=20
> >=3D are CONFIDENTIAL and may contain legally privileged information.  =
>If=20
> >you =3D are not the intended recipient of this e-mail message, please=20
> >telephone =3D or e-mail us immediately, delete this message from your=20
> >system and do =3D not read, copy, distribute, disclose or otherwise use =
>
> >this e-mail =3D message and any attachments. Although Heath Lambert=20
> >believes this e-mail =3D and any attachments to be free of any virus or =
>
> >other defect which may =3D affect your computer, it is the =
>responsibility=20
> >of the recipient to =3D ensure that it is virus free and Heath Lambert=20
> >does not accept any =3D responsibility for any loss or damage arising =
>in=20
> >any way from its use. =3D Finally, you should be aware that Heath =
>Lambert=20
> >reserves the right and =3D intends to intercept and monitor incoming =
>and=20
> >outgoing e-mail =3D correspondence, so you should not expect any e-mail =
>
> >communications to be =3D private in nature.
> >
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.=3D3D20
> >Get 30-40% more users per server to save $$$ and time.=3D3D20 Add users =
>
> >now! - not more servers. If you're using Citrix,=3D3D20 you must =3D =
>learn=20
> >about TScale!  Free 30-day eval: =3D=20
> >http://www.rtosoft.com/Enter.asp?ID=3D3D3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or=3D3D20
> >set Digest or Vacation mode use the below link: =3D=20
> >http://thethin.net/citrixlist.cfm
> >
> >
> >***********************************************************************
> >*
> >MIMEsweeper has been used to check this email for security
> >************************************************************************=
>
> >
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.=3D3D20
> >Get 30-40% more users per server to save $$$ and time.=3D3D20 Add users =
>
> >now! - not more servers. If you're using Citrix,=3D3D20 you must =3D =
>learn=20
> >about TScale!  Free 30-day eval: =3D=20
> >http://www.rtosoft.com/Enter.asp?ID=3D3D3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or=3D3D20
> >set Digest or Vacation mode use the below link: =3D=20
> >http://thethin.net/citrixlist.cfm
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.=3D3D20
> >Get 30-40% more users per server to save $$$ and time.=3D3D20 Add users =
>
> >now! - not more servers. If you're using Citrix,=3D3D20 you must =3D =
>learn=20
> >about TScale!  Free 30-day eval: =3D=20
> >http://www.rtosoft.com/Enter.asp?ID=3D3D3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or=3D3D20
> >set Digest or Vacation mode use the below link: =3D=20
> >http://thethin.net/citrixlist.cfm
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.=3D20
> >Get 30-40% more users per server to save $$$ and time.=3D20
> >Add users now! - not more servers. If you're using Citrix,=3D20 you =
>must=20
> >learn about TScale!  Free 30-day eval: =3D=20
> >http://www.rtosoft.com/Enter.asp?ID=3D3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or=3D20
> >set Digest or Vacation mode use the below link: =3D=20
> >http://thethin.net/citrixlist.cfm
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: PGP 8.0
> >Comment: Public PGP key for Chris Lynch
> >
> >iQA/AwUBPnAg7G9fg+xq5T3MEQL7dACdH4B8lzsZ5I3C2m954XxqQeKaYD8AnR9Z
> >qYVPtjY0YycV+o7iygnq3yQg
> >=3D3DIckx
> >-----END PGP SIGNATURE-----
> >
> >
> >*********************************************************
> >This Week's Sponsor - RTO Software / TScale
> >TScale increases terminal server capacity.
> >Get 30-40% more users per server to save $$$ and time.
> >Add users now! - not more servers. If you're using Citrix,
> >you must learn about TScale!  Free 30-day eval:=20
> >http://www.rtosoft.com/Enter.asp?ID=3D79
> >**********************************************************
> >
> >For Archives, to Unsubscribe, Subscribe or
> >set Digest or Vacation mode use the below link:=20
> >http://thethin.net/citrixlist.cfm
>
>
>_________________________________________________________________
>The new MSN 8: smart spam protection and 2 months FREE* =20
>http://join.msn.com/?page=3Dfeatures/junkmail
>
>*********************************************************
>This Week's Sponsor - RTO Software / TScale
>TScale increases terminal server capacity.=20
>Get 30-40% more users per server to save $$$ and time.=20
>Add users now! - not more servers. If you're using Citrix,=20
>you must learn about TScale!  Free 30-day eval: =
>http://www.rtosoft.com/Enter.asp?ID=3D79
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or=20
>set Digest or Vacation mode use the below link: =
>http://thethin.net/citrixlist.cfm
>
>
>
>*********************************************************
>This Week's Sponsor - RTO Software / TScale
>TScale increases terminal server capacity.=20
>Get 30-40% more users per server to save $$$ and time.=20
>Add users now! - not more servers. If you're using Citrix,=20
>you must learn about TScale!  Free 30-day eval: =
>http://www.rtosoft.com/Enter.asp?ID=3D79
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or=20
>set Digest or Vacation mode use the below link: =
>http://thethin.net/citrixlist.cfm
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 8.0
>Comment: Public PGP key for Chris Lynch
>
>iQA/AwUBPnDWFG9fg+xq5T3MEQIeGwCg17Ia3za7Xrb7wHXm4TApvmWhgOwAoNV9
>JpieQ1c+K2X3CAWnud0u4nz3
>=3DxiYI
>-----END PGP SIGNATURE-----
>
>
>*********************************************************
>This Week's Sponsor - RTO Software / TScale
>TScale increases terminal server capacity.
>Get 30-40% more users per server to save $$$ and time.
>Add users now! - not more servers. If you're using Citrix,
>you must learn about TScale!  Free 30-day eval:
>http://www.rtosoft.com/Enter.asp?ID=79
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:
>http://thethin.net/citrixlist.cfm
>
>
>
>*********************************************************
>This Week's Sponsor - RTO Software / TScale
>TScale increases terminal server capacity.
>Get 30-40% more users per server to save $$$ and time.
>Add users now! - not more servers. If you're using Citrix,
>you must learn about TScale!  Free 30-day eval:
>http://www.rtosoft.com/Enter.asp?ID=79
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:
>http://thethin.net/citrixlist.cfm


_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

*********************************************************
This Week's Sponsor - RTO Software / TScale
TScale increases terminal server capacity. 
Get 30-40% more users per server to save $$$ and time. 
Add users now! - not more servers. If you're using Citrix, 
you must learn about TScale!  Free 30-day eval:
http://www.rtosoft.com/Enter.asp?ID=79
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts: