[THIN] Re: STA port number change?
- From: "Alexander Danilychev" <teknica@xxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Fri, 11 Apr 2003 10:03:41 -0700
Your steps are absolutely correct.
If you keep STA behind DMZ -- use SSL, i.e. port 443 to please your firewall
folks.
Some people from this group suggested using the same IIS that is used in
conjunction with XML service, i.e. drop STA on MetaFrame.
I personal like my STAs "rock solid", so scenario with MetaFrame deployment
of STA does not fit the bill (for single MetaFrame box it is probably OK).
I always deploy STA within DMZ paying attention to secure STA from outside
access. Again SSL is not important -- only denial of service attacks if STA
is downed or busy.
If you like to save some money ? drop STA on a multi-homed NFuse box (it
will support independent load balancing for STAs and NFuse). DO NOT deploy
STA on CSG box!
I will pay more attention to XML service and MAKE SURE that it is not on
default port 80, but protected with SSL (free home-grown certificates are
OK)!
ALEX
>From: "Raffensberger, Stephen D (Stephen) %" <raff@xxxxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: <thin@xxxxxxxxxxxxx>
>Subject: [THIN] STA port number change?
>Date: Fri, 11 Apr 2003 09:53:05 -0400
>
>
>I'm building a standard Nfuse 1.7/CSG/STA configuration according to the =
>Citrix docs.
>My firewall folks are concerned about port 80 traffic initiated in the =
>DMZ (Nfuse &
>CSG) and destined for the STA in the intranet. They want me to change it =
>to another
>port for improved security.
>
>I imagine it's pretty simple to do.
>
>1. On the STA server, change the port to 999 in IIS.
>2. On the Nfuse server, change the NFuse_CSG_STA_URL to
> http://X.X.X.X:999/Scripts/CtxSta.dll
>3. On the CSG server, change Port to 999 in
> HKLM\CCS\Services\CtsSecGwy\TicketAuthorities\STA01
>
>Has anyone actually done this? Is it as big a security problem as my =
>guys perceive?
>It seems like Citrix doesn't think so. It's not in any of the =
>installation or config
>settings. Also it looks like it's incompatible with SSL which means that =
>I can't
>really secure it at all.
>
>Steve Raffensberger
>Computer Aid serving Agere Systems
>Mailto: raff@xxxxxxxxx
>(610) 712-6819
>
>********************************************************
>This Week's Sponsor - ThinPrint
>Simply the best print solution for
>Microsoft Terminal Services
>and Citrix Metaframe.
>http://www.thinprint.com/
>**********************************************************
>
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:
>http://thethin.net/citrixlist.cfm
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
********************************************************
This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services
and Citrix Metaframe.
http://www.thinprint.com/
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
