Your steps are absolutely correct. If you keep STA behind DMZ -- use SSL, i.e. port 443 to please your firewall folks. Some people from this group suggested using the same IIS that is used in conjunction with XML service, i.e. drop STA on MetaFrame. I personal like my STAs "rock solid", so scenario with MetaFrame deployment of STA does not fit the bill (for single MetaFrame box it is probably OK). I always deploy STA within DMZ paying attention to secure STA from outside access. Again SSL is not important -- only denial of service attacks if STA is downed or busy. If you like to save some money ? drop STA on a multi-homed NFuse box (it will support independent load balancing for STAs and NFuse). DO NOT deploy STA on CSG box! I will pay more attention to XML service and MAKE SURE that it is not on default port 80, but protected with SSL (free home-grown certificates are OK)! ALEX >From: "Raffensberger, Stephen D (Stephen) %" <raff@xxxxxxxxx> >Reply-To: thin@xxxxxxxxxxxxx >To: <thin@xxxxxxxxxxxxx> >Subject: [THIN] STA port number change? >Date: Fri, 11 Apr 2003 09:53:05 -0400 > > >I'm building a standard Nfuse 1.7/CSG/STA configuration according to the = >Citrix docs. >My firewall folks are concerned about port 80 traffic initiated in the = >DMZ (Nfuse & >CSG) and destined for the STA in the intranet. They want me to change it = >to another >port for improved security. > >I imagine it's pretty simple to do. > >1. On the STA server, change the port to 999 in IIS. >2. On the Nfuse server, change the NFuse_CSG_STA_URL to > http://X.X.X.X:999/Scripts/CtxSta.dll >3. On the CSG server, change Port to 999 in > HKLM\CCS\Services\CtsSecGwy\TicketAuthorities\STA01 > >Has anyone actually done this? Is it as big a security problem as my = >guys perceive? >It seems like Citrix doesn't think so. It's not in any of the = >installation or config >settings. Also it looks like it's incompatible with SSL which means that = >I can't >really secure it at all. > >Steve Raffensberger >Computer Aid serving Agere Systems >Mailto: raff@xxxxxxxxx >(610) 712-6819 > >******************************************************** >This Week's Sponsor - ThinPrint >Simply the best print solution for >Microsoft Terminal Services >and Citrix Metaframe. >http://www.thinprint.com/ >********************************************************** > >For Archives, to Unsubscribe, Subscribe or >set Digest or Vacation mode use the below link: >http://thethin.net/citrixlist.cfm _________________________________________________________________ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus ******************************************************** This Week's Sponsor - ThinPrint Simply the best print solution for Microsoft Terminal Services and Citrix Metaframe. http://www.thinprint.com/ ********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm