Glad it worked for you - and yeah, if you have no need for external clients to use it, then using your AD's CA is perfectly acceptable. > -----Original Message----- > From: thin-bounce@xxxxxxxxxxxxx > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Reese > Sent: Tuesday, April 26, 2005 2:56 PM > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: Securing the Web Interface > > Thanks Henry. All we wanted to secure was the password so > this worked really well. What we ended up with was our own > certificate server which we then added as a trusted authority > in Active Directory. Works beautifully and even solved a > similar issue for some other groups here. > > Greg > > On 4/27/05, Henry Sieff <hsieff@xxxxxxxxxxxx> wrote: > > > > > > The web session is encrypted - the citrix session will not be > > encrypted via ssl, but will be encrypted via whatever encryption > > method you set for the publushed application/desktop. The > main concern > > is the sending of passwords in clear text, which ssl on the > web server takes care of. > > > > ________________________________ > > From: thin-bounce@xxxxxxxxxxxxx on behalf of jgates@xxxxxxxxxxxxxx > > Sent: Tue 4/26/2005 9:10 AM > > To: thin@xxxxxxxxxxxxx > > Cc: thin@xxxxxxxxxxxxx; thin-bounce@xxxxxxxxxxxxx > > > > Subject: [THIN] Re: Securing the Web Interface > > > > > > > > I thought you had to run CSG for the session to be encrypted? > > > > Thanks, > > > > Jobe > > > > CONFIDENTIALITY NOTICE: This email transmission may contain > > confidential information. This email and any files > transmitted with it > > are confidential and intended solely for the use of the > individual or > > entity to which it is addressed. If you have received this > email in > > error, please immediately notify the sender by email at the address > > shown and permanently delete this message from your email files. > > > > > > > > "Henry Sieff" <hsieff@xxxxxxxxxxxx> > > Sent by: thin-bounce@xxxxxxxxxxxxx > > > > 04/26/2005 09:48 AM > > Please respond to thin > > > > To: thin@xxxxxxxxxxxxx, "Thin" <thin@xxxxxxxxxxxxx> > > cc: > > Subject: [THIN] Re: Securing the Web Interface > > > > > > This is easy to do - > > 1. First thing you will need to do is generate the certificate > > request, which you do from IIS management console, within the > > directory security section, under server certificate. The > main thing > > to remember is that the SSL cert's are linked to a specific > friendly > > name, and if they don't match, you get an annoying warning. So, for > > example, my external NFUSE portal is matched on host header > > http://appsext.orthdoon.com, so the name I put in my certificate > > request wizard would be appsext.orthodon.com. (I use 2048 > bit cipher > > on mine - YMMV) > > > > 2. Purchase an SSL certificate from a CA whose root signing > > certificate is already trusted by most browsers - I use geotrust > > (www.geotrust.com) but verisign is also good. (Geotrust has > a really > > cool phone/web combination request process. (You should be > listed as > > one of the contacts for your domain, or at least warn them, since > > whoever is might need to approve it via email. > > > > 3. When you are done, you will have a piece of text that > you copy and > > past into a text file and change the extention to .cer, and > copy it to > > the server. Go back to the IIS management console, and go to the > > directory security tab and click on server certificate, and > follow the > > prompts to install the certificate. Remove the request text > file and > > the certificate text file and store them in a VERY secure location. > > Also, under the server cert section in IIS, you should click the > > require SSL for this web site, and choose 128 bit, unless you think > > you have browser's out there which don't support it. > > > > Its pretty straightforward - I am more than willing to help you > > further if you have further questions. If you go to > www.geotrust.com, > > they have instructions for the process for just about every > type of web server. > > > > After you are done, make sure you have port 443 open > inbound to that > > server, btw. Also, your clients should make sure their web browsers > > can save encrypted pages to disk (Tools>Internet > > Options->Advanced->uncheck Do not save encrypted pages to > disk) since > > the ica files they download will now be encrypted. You will > now have > > encrypted sessions with no passwords in clear text. > > > > Henry > > > > ________________________________ > > > > From: thin-bounce@xxxxxxxxxxxxx on behalf of Greg Reese > > Sent: Mon 4/25/2005 4:52 PM > > To: Thin > > Subject: [THIN] Securing the Web Interface > > > > > > I have been running the Web Interface 3.0 to show > management and some > > of the users how it will benefit them and make everyone taller and > > better looking etc. It has been well received so far and it is > > looking like it will move live. > > > > The problem is that the login authentication is sending the > password > > in clear text and policy prohibits me from putting out > anything that > > sends passwords in clear text. This is only used by > internal users, > > not Internet users so I think the Secure Gateway might be a little > > overkill. > > > > Can I just SSL enable IIS to secure up the login on the Web > Interface? > > and If so, what is the easiest way to do this? I don't > want the users > > to have to get presented with a bunch of prompts to install > things if > > I can avoid it. I know enough about IIS to get the Web Interface > > running and that is about it. My IIS server is IIS 6 on > Windows 2003. > > Its sole purpose in life is to support Citrix things. > > It runs the Citrix License console, web interface etc. > > > > Any ideas are greatly appreciated. > > > > Thanks! > > > > Greg > > ******************************************************** > > This Weeks Sponsor: RTO Software TScale TScale provides a > > cost-effective way to improve performance, capacity and > stability for > > thin-client servers like Citrix MetaFrame or Microsoft Terminal > > Services running Windows NT, 2000 or 2003. > > http://www.rtosoft.com/enter.asp?id)6 > > ********************************************************** > > Useful Thin Client Computing Links are available at: > > http://thin.net/links.cfm > > ThinWiki community - Excellent SBC Search Capabilities! > > http://www.thinwiki.com > > *********************************************************** > > For Archives, to Unsubscribe, Subscribe or set Digest or > Vacation mode > > use the below link: > > http://thin.net/citrixlist.cfm > > > > > > > > > > > > > > > > > ******************************************************** > This Weeks Sponsor: ThinPrint GmbH > Now available: The new version .print Engine 6.2 with SSL > encryption and certificate management. > http://www.thinprint.com > ********************************************************** > Useful Thin Client Computing Links are available at: > http://thin.net/links.cfm > ThinWiki community - Excellent SBC Search Capabilities! > http://www.thinwiki.com > *********************************************************** > For Archives, to Unsubscribe, Subscribe or set Digest or > Vacation mode use the below link: > http://thin.net/citrixlist.cfm > ******************************************************** This Weeks Sponsor: ThinPrint GmbH Now available: The new version .print Engine 6.2 with SSL encryption and certificate management. http://www.thinprint.com ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm ThinWiki community - Excellent SBC Search Capabilities! http://www.thinwiki.com *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm