[THIN] Re: Securing MFXP
- From: "Bray, Donovan (ESC)" <BrayD@xxxxxxxxxxxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Wed, 17 Aug 2005 13:28:32 -0700
From a security standpoint I don't think what you are suggesting is entirely
true. I guarantee you Thawte and Verisign run a much more secure CA, than
the rest of us can.
What you are suggesting is potentially more hoops for an attacker, but if
the hoops are easier to get around, there's no security advantage. Also as
stated before it increases your training costs, and ongoing TCO for
additional helpdesk calls, that you could have reduced by paying $300/yr to
a reputable publicly available CA. I wouldn't consider anybody's self setup
CA to be more secure than a reputable public CA, unless you are in the
business of setting up Certificate Authorities and you had a considerable
amount of money to invest in the PKI infrastructure. Setting up a secure CA
and PKI infrastructure is well beyond running just running Microsoft's CA
software on a single box. It's about the business practices of the CA as
much as it is about the technology.
_____
From: Marc-Andre Lapierre [mailto:malapierre@xxxxxxxxxxxxxxxx]
Sent: Wednesday, August 17, 2005 1:00 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Securing MFXP
But using a private cert is more secure than using a public one since the
ICA has to trust the Root certificate of the CSG box. It's a king of two
factor authentication since you need to give the private certificate to your
users.
_____
From: Joe Shonk [mailto:joe.shonk@xxxxxxxxx]
Sent: Wednesday, August 17, 2005 1:26 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Securing MFXP
I would look at using CSG; it's more secure and free with your SubAdv. It's
much simpler to setup and maintain than SSL Relay, even with 2 servers. I
would also look into using a Public cert. They can be had for only $50
dollars and saves a bunch of time and hassle trying to teach end users how
to install the root cert.
Joe
_____
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of ILMS (Air)
Sent: Tuesday, August 16, 2005 9:24 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Securing MFXP
Hii friends!
We have 2 MFXP FR3/W2k3 servers, users logging in using WI over LAN/WAN.
Would like to implement SSL.
What I have in mind is:
1. Setup CA on one MF server. Create root cert.
Issue Server cert to both MF servers (IIS servers) and install through IIS.
2. Direct WI to use HTTPS (or Citrix SSL??) on 443, also set MF server name
same a certificate name.
3. Setup citrix ssl relay on both MF servers (required??).
4. Install root cert on clients.
5. Open only 443 port.
6. Direct users to use https://server <https://server>
waiting for your feedback!!
thnx in advance!
Other related posts:
