[THIN] Re: Web Interface - login process

• From: "Rick Mack" <ulrich.mack@xxxxxxxxx>
• To: thin@xxxxxxxxxxxxx
• Date: Mon, 25 Feb 2008 21:38:57 +1000

Hi Angela,

The very best explanation of how web interface works has got to be the doco
that comes with the web interface SDK. Download that from the CDN site and
you'll know it all ;-)

Web interface "talks" to only 2 external entities, the secure ticketing
authority (STA) and the XML service of a Citrix server. The STA
functionality is now also provided by the XML service (CPS 4.X) so port 80
to one or more Citrix servers is all you need for web interface (WI). The
Zone data collector is a good first candidate, but you'd be sensible to list
more than one server in the WI farm list. User authentication is via the XML
service of the Citrix servers.

If we're talking about internal and not WAN Citrix clients, then you need
ports 80 (optional) and port 1494 or 2598 for ICA if you've got session
reliability enabled. External client access should either be using an SSL
VPN, Secure gateway or Citrix Access Gateway appliances.

Addressing your list directly in terms of firewall rules:

1) Client - Web Interface - Port 80 - yes, internal ONLY, otherwise use 443
(plus CAG/CSG etc) for security
2) Web Interface - Active Directory (AD on internal network) - not sure what
AD ports need to be opened - no
3) Active Directory - Web Interface - no
4) Web Interface - Zone Data Collector - Port 80 - yes, could be encrypted
if WI in DMZ
5) Zone Data Collector - Web Interface - Port 80 - no
6) Web Interface - Client - Port 80 - no

User launches Published App
7) Client - Web Interface - Port 80 - yes but only internal. DON'T allow
access without CSG/CAG etc
8) Web Interface - Client - Port 80 - no
8) Client - Citrix Presentation Server - Port 1494 - yes or 2598 (session
reliability) but only internal

 I repeat, there is absolutely no good reason for putting WI in the DMZ in a
private LAN/WAN scenario, unless you want to secure yourself against
external users. And if that's the case, use a VPN appliance, CSG or CAG so
you've got an SSL-secured front end to WI.

regards,

Rick

On 2/25/08, Angela Smith <angela_smith9@xxxxxxxxxxx> wrote:
>
>
> Hi
>
> Ive been tasked to document the Web Interface communication in our
> environment and the ports that need to be opened between our DMZ and
> internal network.  Im looking at installing a Web Interface in our DMZ which
> will access our Citrix Farm on the internal network.  I need the Web
> Interface to authenticate against Active Directory.  This is what Ive got so
> far and I was hoping someone could crosscheck or point me in the right
> direction.
>
> 1) Client - Web Interface - Port 80
> 2) Web Interface - Active Directory (AD on internal network) - not sure
> what AD ports need to be opened
> 3) Active Directory - Web Interface
> 4) Web Interface - Zone Data Collector - Port 80
> 5) Zone Data Collector - Web Interface - Port 80
> 6) Web Interface - Client - Port 80
>
> User launches Published App
> 7) Client - Web Interface - Port 80
> 8) Web Interface - Client - Port 80
> 8) Client - Citrix Presentation Server - Port 1494
>
>
> A few questions:
>
> 1) Is the above correct?
> 2) When a user launches a Published App, is the client talking 1494 direct
> to the Citrix Presentation Server?  Is the communication going through the
> Web Interface or is it direct from client to the Citrix Server?  Therefore
> does 1494 need to be open to the client or is it 1494 from Web Interface to
> Citrix server only?
> 3) If the client is using JAVA does this still talk 1494 direct to the
> Citrix Farm or is it a different port?
>
> Im trying to document the above login process and would appreciate any
> assistance or direction.
>
> Thanks
> Angela
> _________________________________________________________________
> Overpaid or Underpaid? Check our comprehensive Salary Centre
>
> http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fcontent%2Emycareer%2Ecom%2Eau%2Fsalary%2Dcentre%3Fs%5Fcid%3D595810&_t=766724125&_r=Hotmail_Email_Tagline_MyCareer_Oct07&_m=EXT************************************************
> For Archives, RSS, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> //www.freelists.org/list/thin
> ************************************************
>



-- 
Ulrich Mack
www.commander.com

• Follow-Ups:
  • [THIN] Re: Web Interface - login process
    • From: Angela Smith

• References:
  • [THIN] {Spam?} Re: Web Interface - nothing happens
    • From: support
  • [THIN] Web Interface - login process
    • From: Angela Smith

Other related posts:

• » [THIN] Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process
• » [THIN] Re: Web Interface - login process

1. Home
2. thin
3. Archive
4. 02-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---