[THIN] Re: Securing the Web Interface
- From: Greg Reese <gareese@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Wed, 27 Apr 2005 09:45:26 +1200
we may have the occasional outside client connect, we just don't care
whether or not they are happy.
Greg
On 4/27/05, Henry Sieff <hsieff@xxxxxxxxxxxx> wrote:
> Glad it worked for you - and yeah, if you have no need for external
> clients to use it, then using your AD's CA is perfectly acceptable.
>
> > -----Original Message-----
> > From: thin-bounce@xxxxxxxxxxxxx
> > [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Reese
> > Sent: Tuesday, April 26, 2005 2:56 PM
> > To: thin@xxxxxxxxxxxxx
> > Subject: [THIN] Re: Securing the Web Interface
> >
> > Thanks Henry. All we wanted to secure was the password so
> > this worked really well. What we ended up with was our own
> > certificate server which we then added as a trusted authority
> > in Active Directory. Works beautifully and even solved a
> > similar issue for some other groups here.
> >
> > Greg
> >
> > On 4/27/05, Henry Sieff <hsieff@xxxxxxxxxxxx> wrote:
> > >
> > >
> > > The web session is encrypted - the citrix session will not be
> > > encrypted via ssl, but will be encrypted via whatever encryption
> > > method you set for the publushed application/desktop. The
> > main concern
> > > is the sending of passwords in clear text, which ssl on the
> > web server takes care of.
> > >
> > > ________________________________
> > > From: thin-bounce@xxxxxxxxxxxxx on behalf of jgates@xxxxxxxxxxxxxx
> > > Sent: Tue 4/26/2005 9:10 AM
> > > To: thin@xxxxxxxxxxxxx
> > > Cc: thin@xxxxxxxxxxxxx; thin-bounce@xxxxxxxxxxxxx
> > >
> > > Subject: [THIN] Re: Securing the Web Interface
> > >
> > >
> > >
> > > I thought you had to run CSG for the session to be encrypted?
> > >
> > > Thanks,
> > >
> > > Jobe
> > >
> > > CONFIDENTIALITY NOTICE: This email transmission may contain
> > > confidential information. This email and any files
> > transmitted with it
> > > are confidential and intended solely for the use of the
> > individual or
> > > entity to which it is addressed. If you have received this
> > email in
> > > error, please immediately notify the sender by email at the address
> > > shown and permanently delete this message from your email files.
> > >
> > >
> > >
> > > "Henry Sieff" <hsieff@xxxxxxxxxxxx>
> > > Sent by: thin-bounce@xxxxxxxxxxxxx
> > >
> > > 04/26/2005 09:48 AM
> > > Please respond to thin
> > >
> > > To: thin@xxxxxxxxxxxxx, "Thin" <thin@xxxxxxxxxxxxx>
> > > cc:
> > > Subject: [THIN] Re: Securing the Web Interface
> > >
> > >
> > > This is easy to do -
> > > 1. First thing you will need to do is generate the certificate
> > > request, which you do from IIS management console, within the
> > > directory security section, under server certificate. The
> > main thing
> > > to remember is that the SSL cert's are linked to a specific
> > friendly
> > > name, and if they don't match, you get an annoying warning. So, for
> > > example, my external NFUSE portal is matched on host header
> > > http://appsext.orthdoon.com, so the name I put in my certificate
> > > request wizard would be appsext.orthodon.com. (I use 2048
> > bit cipher
> > > on mine - YMMV)
> > >
> > > 2. Purchase an SSL certificate from a CA whose root signing
> > > certificate is already trusted by most browsers - I use geotrust
> > > (www.geotrust.com) but verisign is also good. (Geotrust has
> > a really
> > > cool phone/web combination request process. (You should be
> > listed as
> > > one of the contacts for your domain, or at least warn them, since
> > > whoever is might need to approve it via email.
> > >
> > > 3. When you are done, you will have a piece of text that
> > you copy and
> > > past into a text file and change the extention to .cer, and
> > copy it to
> > > the server. Go back to the IIS management console, and go to the
> > > directory security tab and click on server certificate, and
> > follow the
> > > prompts to install the certificate. Remove the request text
> > file and
> > > the certificate text file and store them in a VERY secure location.
> > > Also, under the server cert section in IIS, you should click the
> > > require SSL for this web site, and choose 128 bit, unless you think
> > > you have browser's out there which don't support it.
> > >
> > > Its pretty straightforward - I am more than willing to help you
> > > further if you have further questions. If you go to
> > www.geotrust.com,
> > > they have instructions for the process for just about every
> > type of web server.
> > >
> > > After you are done, make sure you have port 443 open
> > inbound to that
> > > server, btw. Also, your clients should make sure their web browsers
> > > can save encrypted pages to disk (Tools>Internet
> > > Options->Advanced->uncheck Do not save encrypted pages to
> > disk) since
> > > the ica files they download will now be encrypted. You will
> > now have
> > > encrypted sessions with no passwords in clear text.
> > >
> > > Henry
> > >
> > > ________________________________
> > >
> > > From: thin-bounce@xxxxxxxxxxxxx on behalf of Greg Reese
> > > Sent: Mon 4/25/2005 4:52 PM
> > > To: Thin
> > > Subject: [THIN] Securing the Web Interface
> > >
> > >
> > > I have been running the Web Interface 3.0 to show
> > management and some
> > > of the users how it will benefit them and make everyone taller and
> > > better looking etc. It has been well received so far and it is
> > > looking like it will move live.
> > >
> > > The problem is that the login authentication is sending the
> > password
> > > in clear text and policy prohibits me from putting out
> > anything that
> > > sends passwords in clear text. This is only used by
> > internal users,
> > > not Internet users so I think the Secure Gateway might be a little
> > > overkill.
> > >
> > > Can I just SSL enable IIS to secure up the login on the Web
> > Interface?
> > > and If so, what is the easiest way to do this? I don't
> > want the users
> > > to have to get presented with a bunch of prompts to install
> > things if
> > > I can avoid it. I know enough about IIS to get the Web Interface
> > > running and that is about it. My IIS server is IIS 6 on
> > Windows 2003.
> > > Its sole purpose in life is to support Citrix things.
> > > It runs the Citrix License console, web interface etc.
> > >
> > > Any ideas are greatly appreciated.
> > >
> > > Thanks!
> > >
> > > Greg
> > > ********************************************************
> > > This Weeks Sponsor: RTO Software TScale TScale provides a
> > > cost-effective way to improve performance, capacity and
> > stability for
> > > thin-client servers like Citrix MetaFrame or Microsoft Terminal
> > > Services running Windows NT, 2000 or 2003.
> > > http://www.rtosoft.com/enter.asp?id)6
> > > **********************************************************
> > > Useful Thin Client Computing Links are available at:
> > > http://thin.net/links.cfm
> > > ThinWiki community - Excellent SBC Search Capabilities!
> > > http://www.thinwiki.com
> > > ***********************************************************
> > > For Archives, to Unsubscribe, Subscribe or set Digest or
> > Vacation mode
> > > use the below link:
> > > http://thin.net/citrixlist.cfm
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > ********************************************************
> > This Weeks Sponsor: ThinPrint GmbH
> > Now available: The new version .print Engine 6.2 with SSL
> > encryption and certificate management.
> > http://www.thinprint.com
> > **********************************************************
> > Useful Thin Client Computing Links are available at:
> > http://thin.net/links.cfm
> > ThinWiki community - Excellent SBC Search Capabilities!
> > http://www.thinwiki.com
> > ***********************************************************
> > For Archives, to Unsubscribe, Subscribe or set Digest or
> > Vacation mode use the below link:
> > http://thin.net/citrixlist.cfm
> >
> ********************************************************
> This Weeks Sponsor: ThinPrint GmbH
> Now available: The new version .print Engine 6.2 with SSL encryption
> and certificate management.
> http://www.thinprint.com
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
********************************************************
This Weeks Sponsor: ThinPrint GmbH
Now available: The new version .print Engine 6.2 with SSL encryption
and certificate management.
http://www.thinprint.com
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
