[THIN] Re: STA port number change?

  • From: "Alexander Danilychev" <teknica@xxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx
  • Date: Fri, 11 Apr 2003 10:03:41 -0700

Your steps are absolutely correct.
If you keep STA behind DMZ -- use SSL, i.e. port 443 to please your firewall 

Some people from this group suggested using the same IIS that is used in 
conjunction with XML service, i.e. drop STA on MetaFrame.

I personal like my STAs "rock solid", so scenario with MetaFrame deployment 
of STA does not fit the bill (for single MetaFrame box it is probably OK).

I always deploy STA within DMZ paying attention to secure STA from outside 
access. Again SSL is not important -- only denial of service attacks if STA 
is downed or busy.
If you like to save some money ? drop STA on a multi-homed NFuse box (it 
will support independent load balancing for STAs and NFuse). DO NOT deploy 
STA on CSG box!

I will pay more attention to XML service and MAKE SURE that it is not on 
default port 80, but protected with SSL (free home-grown certificates are 


>From: "Raffensberger, Stephen D (Stephen) %" <raff@xxxxxxxxx>
>Reply-To: thin@xxxxxxxxxxxxx
>To: <thin@xxxxxxxxxxxxx>
>Subject: [THIN] STA port number change?
>Date: Fri, 11 Apr 2003 09:53:05 -0400
>I'm building a standard Nfuse 1.7/CSG/STA configuration according to the =
>Citrix docs.
>My firewall folks are concerned about port 80 traffic initiated in the =
>DMZ (Nfuse &
>CSG) and destined for the STA in the intranet. They want me to change it =
>to another
>port for improved security.
>I imagine it's pretty simple to do.
>1. On the STA server, change the port to 999 in IIS.
>2. On the Nfuse server, change the NFuse_CSG_STA_URL to
>    http://X.X.X.X:999/Scripts/CtxSta.dll
>3. On the CSG server, change Port to 999 in
>    HKLM\CCS\Services\CtsSecGwy\TicketAuthorities\STA01
>Has anyone actually done this? Is it as big a security problem as my =
>guys perceive?
>It seems like Citrix doesn't think so. It's not in any of the =
>installation or config
>settings. Also it looks like it's incompatible with SSL which means that =
>I can't
>really secure it at all.
>Steve Raffensberger
>Computer Aid serving Agere Systems
>Mailto: raff@xxxxxxxxx
>(610) 712-6819
>This Week's Sponsor - ThinPrint
>Simply the best print solution for
>Microsoft Terminal Services
>and Citrix Metaframe.
>For Archives, to Unsubscribe, Subscribe or
>set Digest or Vacation mode use the below link:

MSN 8 with e-mail virus protection service: 2 months FREE*  

This Week's Sponsor - ThinPrint
Simply the best print solution for
Microsoft Terminal Services 
and Citrix Metaframe.

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:

Other related posts: