You don't need to open up ports from the WI server to AD to perform authentication. The WI server doesn't do user authentication - there's a slidedeck here - www.citrixevents.com/.../dynamic/presentations/3105%20SecuringMonitoringNetw orkTrafficwithinCAS_Final_v2.ppt that gives a graphical view of the authentication process. User credentials are passed from the WI server to the IMA Service running on your Citrix servers via the XML Broker in order for the IMA service to authenticate the user and get their list of available applications. When the user wants to launch a published app, the user's ica file is populated with their ticket information (obtained from an STA) which allows them to log on. So, technically - you *could* just use 80 and 1494, although if you want to use session reliability you'll need to add in 2598. Obviously, that's not very secure. Ideally you've enabled https for the page submitting the user's credentials (otherwise your network passwords are wandering over the internet in plain sight), and you're at least encrypting the XML service from the WI to the Citrix servers by using https. Raw and out of the box, once the user launches an app they are communicating with the Citrix server on 1494 (by default); its 1494 from the client to the citrix server(s) for all the citrix clients, including java. 1494 might not be open at the client end, and isn't encrypted either: a straightforward way to secure that communication would be to have CSG to secure ICA communication to the user by encapsulating it in an SSL tunnel. There is a useful tcp port check document on doug brown's site - http://www.dabcc.com/article.aspx?id=1755 Hth. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Angela Smith Sent: 25 February 2008 09:18 To: thin@xxxxxxxxxxxxx Subject: [THIN] Web Interface - login process Hi Ive been tasked to document the Web Interface communication in our environment and the ports that need to be opened between our DMZ and internal network. Im looking at installing a Web Interface in our DMZ which will access our Citrix Farm on the internal network. I need the Web Interface to authenticate against Active Directory. This is what Ive got so far and I was hoping someone could crosscheck or point me in the right direction. 1) Client - Web Interface - Port 80 2) Web Interface - Active Directory (AD on internal network) - not sure what AD ports need to be opened 3) Active Directory - Web Interface 4) Web Interface - Zone Data Collector - Port 80 5) Zone Data Collector - Web Interface - Port 80 6) Web Interface - Client - Port 80 User launches Published App 7) Client - Web Interface - Port 80 8) Web Interface - Client - Port 80 8) Client - Citrix Presentation Server - Port 1494 A few questions: 1) Is the above correct? 2) When a user launches a Published App, is the client talking 1494 direct to the Citrix Presentation Server? Is the communication going through the Web Interface or is it direct from client to the Citrix Server? Therefore does 1494 need to be open to the client or is it 1494 from Web Interface to Citrix server only? 3) If the client is using JAVA does this still talk 1494 direct to the Citrix Farm or is it a different port? Im trying to document the above login process and would appreciate any assistance or direction. Thanks Angela _________________________________________________________________ Overpaid or Underpaid? Check our comprehensive Salary Centre http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fcontent%2Emycareer%2Ecom%2Ea u%2Fsalary%2Dcentre%3Fs%5Fcid%3D595810&_t=766724125&_r=Hotmail_Email_Tagline _MyCareer_Oct07&_m=EXT************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin ************************************************