[THIN] Re: Web Interface - login process

• From: "Andrew Wood" <andrew.wood@xxxxxxxxxxxxxxxx>
• To: <thin@xxxxxxxxxxxxx>
• Date: Mon, 25 Feb 2008 11:21:30 -0000

You don't need to open up ports from the WI server to AD to perform
authentication. The WI server doesn't do user authentication - there's a
slidedeck here -
www.citrixevents.com/.../dynamic/presentations/3105%20SecuringMonitoringNetw
orkTrafficwithinCAS_Final_v2.ppt that gives a graphical view of the
authentication process.

User credentials are passed from the WI server to the IMA Service running on
your Citrix servers via the XML Broker in order for the IMA service to
authenticate the user and get their list of available applications. When the
user wants to launch a published app, the user's ica file is populated with
their ticket information (obtained from an STA) which allows them to log on.


So, technically - you *could* just use 80 and 1494, although if you want to
use session reliability you'll need to add in 2598.

Obviously, that's not very secure. 

Ideally you've enabled https for the page submitting the user's credentials
(otherwise your network passwords are wandering over the internet in plain
sight), and you're at least encrypting the XML service from the WI to the
Citrix servers by using https. 

Raw and out of the box, once the user launches an app they are communicating
with the Citrix server on 1494 (by default); its 1494 from the client to the
citrix server(s) for all the citrix clients, including java. 1494 might not
be open at the client end, and isn't encrypted either: a straightforward way
to secure that communication would be to have CSG to secure ICA
communication to the user by encapsulating it in an SSL tunnel.

There is a useful tcp port check document on doug brown's site -
http://www.dabcc.com/article.aspx?id=1755

Hth.


-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Angela Smith
Sent: 25 February 2008 09:18
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Web Interface - login process


Hi

Ive been tasked to document the Web Interface communication in our
environment and the ports that need to be opened between our DMZ and
internal network.  Im looking at installing a Web Interface in our DMZ which
will access our Citrix Farm on the internal network.  I need the Web
Interface to authenticate against Active Directory.  This is what Ive got so
far and I was hoping someone could crosscheck or point me in the right
direction.

1) Client - Web Interface - Port 80
2) Web Interface - Active Directory (AD on internal network) - not sure what
AD ports need to be opened
3) Active Directory - Web Interface
4) Web Interface - Zone Data Collector - Port 80
5) Zone Data Collector - Web Interface - Port 80
6) Web Interface - Client - Port 80

User launches Published App
7) Client - Web Interface - Port 80
8) Web Interface - Client - Port 80
8) Client - Citrix Presentation Server - Port 1494


A few questions:

1) Is the above correct?
2) When a user launches a Published App, is the client talking 1494 direct
to the Citrix Presentation Server?  Is the communication going through the
Web Interface or is it direct from client to the Citrix Server?  Therefore
does 1494 need to be open to the client or is it 1494 from Web Interface to
Citrix server only?
3) If the client is using JAVA does this still talk 1494 direct to the
Citrix Farm or is it a different port?

Im trying to document the above login process and would appreciate any
assistance or direction.

Thanks
Angela
_________________________________________________________________
Overpaid or Underpaid? Check our comprehensive Salary Centre
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fcontent%2Emycareer%2Ecom%2Ea
u%2Fsalary%2Dcentre%3Fs%5Fcid%3D595810&_t=766724125&_r=Hotmail_Email_Tagline
_MyCareer_Oct07&_m=EXT************************************************
For Archives, RSS, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************

************************************************
For Archives, RSS, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************

• Follow-Ups:
  • [THIN] Re: Web Interface - login process
    • From: Angela Smith

• References:
  • [THIN] {Spam?} Re: Web Interface - nothing happens
    • From: support
  • [THIN] Web Interface - login process
    • From: Angela Smith

Other related posts:

• » [THIN] Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process

1. Home
2. thin
3. Archive
4. 02-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---