[THIN] Re: Securing the Web Interface
- From: "Henry Sieff" <hsieff@xxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>, "Thin" <thin@xxxxxxxxxxxxx>
- Date: Tue, 26 Apr 2005 08:48:00 -0500
This is easy to do -
1. First thing you will need to do is generate the certificate request, which
you do from IIS management console, within the directory security section,
under server certificate. The main thing to remember is that the SSL cert's are
linked to a specific friendly name, and if they don't match, you get an
annoying warning. So, for example, my external NFUSE portal is matched on host
header http://appsext.orthdoon.com, so the name I put in my certificate request
wizard would be appsext.orthodon.com. (I use 2048 bit cipher on mine - YMMV)
2. Purchase an SSL certificate from a CA whose root signing certificate is
already trusted by most browsers - I use geotrust (www.geotrust.com) but
verisign is also good. (Geotrust has a really cool phone/web combination
request process. (You should be listed as one of the contacts for your domain,
or at least warn them, since whoever is might need to approve it via email.
3. When you are done, you will have a piece of text that you copy and past into
a text file and change the extention to .cer, and copy it to the server. Go
back to the IIS management console, and go to the directory security tab and
click on server certificate, and follow the prompts to install the certificate.
Remove the request text file and the certificate text file and store them in a
VERY secure location. Also, under the server cert section in IIS, you should
click the require SSL for this web site, and choose 128 bit, unless you think
you have browser's out there which don't support it.
Its pretty straightforward - I am more than willing to help you further if you
have further questions. If you go to www.geotrust.com, they have instructions
for the process for just about every type of web server.
After you are done, make sure you have port 443 open inbound to that server,
btw. Also, your clients should make sure their web browsers can save encrypted
pages to disk (Tools>Internet Options->Advanced->uncheck Do not save encrypted
pages to disk) since the ica files they download will now be encrypted. You
will now have encrypted sessions with no passwords in clear text.
Henry
________________________________
From: thin-bounce@xxxxxxxxxxxxx on behalf of Greg Reese
Sent: Mon 4/25/2005 4:52 PM
To: Thin
Subject: [THIN] Securing the Web Interface
I have been running the Web Interface 3.0 to show management and some
of the users how it will benefit them and make everyone taller and
better looking etc. It has been well received so far and it is
looking like it will move live.
The problem is that the login authentication is sending the password
in clear text and policy prohibits me from putting out anything that
sends passwords in clear text. This is only used by internal users,
not Internet users so I think the Secure Gateway might be a little
overkill.
Can I just SSL enable IIS to secure up the login on the Web Interface?
and If so, what is the easiest way to do this? I don't want the
users to have to get presented with a bunch of prompts to install
things if I can avoid it. I know enough about IIS to get the Web
Interface running and that is about it. My IIS server is IIS 6 on
Windows 2003. Its sole purpose in life is to support Citrix things.
It runs the Citrix License console, web interface etc.
Any ideas are greatly appreciated.
Thanks!
Greg
********************************************************
This Weeks Sponsor: RTO Software TScale
TScale provides a cost-effective way to improve performance, capacity and
stability for thin-client servers like Citrix MetaFrame or Microsoft Terminal
Services running Windows NT, 2000 or 2003.
http://www.rtosoft.com/enter.asp?id)6
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts: