[THIN] Re: Securing the Web Interface
- From: "Henry Sieff" <hsieff@xxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Tue, 26 Apr 2005 16:38:31 -0500
Glad it worked for you - and yeah, if you have no need for external
clients to use it, then using your AD's CA is perfectly acceptable.
> -----Original Message-----
> From: thin-bounce@xxxxxxxxxxxxx
> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Reese
> Sent: Tuesday, April 26, 2005 2:56 PM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: Securing the Web Interface
>
> Thanks Henry. All we wanted to secure was the password so
> this worked really well. What we ended up with was our own
> certificate server which we then added as a trusted authority
> in Active Directory. Works beautifully and even solved a
> similar issue for some other groups here.
>
> Greg
>
> On 4/27/05, Henry Sieff <hsieff@xxxxxxxxxxxx> wrote:
> >
> >
> > The web session is encrypted - the citrix session will not be
> > encrypted via ssl, but will be encrypted via whatever encryption
> > method you set for the publushed application/desktop. The
> main concern
> > is the sending of passwords in clear text, which ssl on the
> web server takes care of.
> >
> > ________________________________
> > From: thin-bounce@xxxxxxxxxxxxx on behalf of jgates@xxxxxxxxxxxxxx
> > Sent: Tue 4/26/2005 9:10 AM
> > To: thin@xxxxxxxxxxxxx
> > Cc: thin@xxxxxxxxxxxxx; thin-bounce@xxxxxxxxxxxxx
> >
> > Subject: [THIN] Re: Securing the Web Interface
> >
> >
> >
> > I thought you had to run CSG for the session to be encrypted?
> >
> > Thanks,
> >
> > Jobe
> >
> > CONFIDENTIALITY NOTICE: This email transmission may contain
> > confidential information. This email and any files
> transmitted with it
> > are confidential and intended solely for the use of the
> individual or
> > entity to which it is addressed. If you have received this
> email in
> > error, please immediately notify the sender by email at the address
> > shown and permanently delete this message from your email files.
> >
> >
> >
> > "Henry Sieff" <hsieff@xxxxxxxxxxxx>
> > Sent by: thin-bounce@xxxxxxxxxxxxx
> >
> > 04/26/2005 09:48 AM
> > Please respond to thin
> >
> > To: thin@xxxxxxxxxxxxx, "Thin" <thin@xxxxxxxxxxxxx>
> > cc:
> > Subject: [THIN] Re: Securing the Web Interface
> >
> >
> > This is easy to do -
> > 1. First thing you will need to do is generate the certificate
> > request, which you do from IIS management console, within the
> > directory security section, under server certificate. The
> main thing
> > to remember is that the SSL cert's are linked to a specific
> friendly
> > name, and if they don't match, you get an annoying warning. So, for
> > example, my external NFUSE portal is matched on host header
> > http://appsext.orthdoon.com, so the name I put in my certificate
> > request wizard would be appsext.orthodon.com. (I use 2048
> bit cipher
> > on mine - YMMV)
> >
> > 2. Purchase an SSL certificate from a CA whose root signing
> > certificate is already trusted by most browsers - I use geotrust
> > (www.geotrust.com) but verisign is also good. (Geotrust has
> a really
> > cool phone/web combination request process. (You should be
> listed as
> > one of the contacts for your domain, or at least warn them, since
> > whoever is might need to approve it via email.
> >
> > 3. When you are done, you will have a piece of text that
> you copy and
> > past into a text file and change the extention to .cer, and
> copy it to
> > the server. Go back to the IIS management console, and go to the
> > directory security tab and click on server certificate, and
> follow the
> > prompts to install the certificate. Remove the request text
> file and
> > the certificate text file and store them in a VERY secure location.
> > Also, under the server cert section in IIS, you should click the
> > require SSL for this web site, and choose 128 bit, unless you think
> > you have browser's out there which don't support it.
> >
> > Its pretty straightforward - I am more than willing to help you
> > further if you have further questions. If you go to
> www.geotrust.com,
> > they have instructions for the process for just about every
> type of web server.
> >
> > After you are done, make sure you have port 443 open
> inbound to that
> > server, btw. Also, your clients should make sure their web browsers
> > can save encrypted pages to disk (Tools>Internet
> > Options->Advanced->uncheck Do not save encrypted pages to
> disk) since
> > the ica files they download will now be encrypted. You will
> now have
> > encrypted sessions with no passwords in clear text.
> >
> > Henry
> >
> > ________________________________
> >
> > From: thin-bounce@xxxxxxxxxxxxx on behalf of Greg Reese
> > Sent: Mon 4/25/2005 4:52 PM
> > To: Thin
> > Subject: [THIN] Securing the Web Interface
> >
> >
> > I have been running the Web Interface 3.0 to show
> management and some
> > of the users how it will benefit them and make everyone taller and
> > better looking etc. It has been well received so far and it is
> > looking like it will move live.
> >
> > The problem is that the login authentication is sending the
> password
> > in clear text and policy prohibits me from putting out
> anything that
> > sends passwords in clear text. This is only used by
> internal users,
> > not Internet users so I think the Secure Gateway might be a little
> > overkill.
> >
> > Can I just SSL enable IIS to secure up the login on the Web
> Interface?
> > and If so, what is the easiest way to do this? I don't
> want the users
> > to have to get presented with a bunch of prompts to install
> things if
> > I can avoid it. I know enough about IIS to get the Web Interface
> > running and that is about it. My IIS server is IIS 6 on
> Windows 2003.
> > Its sole purpose in life is to support Citrix things.
> > It runs the Citrix License console, web interface etc.
> >
> > Any ideas are greatly appreciated.
> >
> > Thanks!
> >
> > Greg
> > ********************************************************
> > This Weeks Sponsor: RTO Software TScale TScale provides a
> > cost-effective way to improve performance, capacity and
> stability for
> > thin-client servers like Citrix MetaFrame or Microsoft Terminal
> > Services running Windows NT, 2000 or 2003.
> > http://www.rtosoft.com/enter.asp?id)6
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ThinWiki community - Excellent SBC Search Capabilities!
> > http://www.thinwiki.com
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or
> Vacation mode
> > use the below link:
> > http://thin.net/citrixlist.cfm
> >
> >
> >
> >
> >
> >
> >
> >
> ********************************************************
> This Weeks Sponsor: ThinPrint GmbH
> Now available: The new version .print Engine 6.2 with SSL
> encryption and certificate management.
> http://www.thinprint.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or set Digest or
> Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
********************************************************
This Weeks Sponsor: ThinPrint GmbH
Now available: The new version .print Engine 6.2 with SSL encryption
and certificate management.
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
