[THIN] Re: Web Interface - login process
- From: Angela Smith <angela_smith9@xxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Mon, 25 Feb 2008 23:02:34 +1100
Hi Rick
Firstly, thanks for your reply. The reason for possibly adding a WI to the DMZ
is for a requirement by a third party who need to access our farm over the
Internet. I could think of 2 options to accommodate this:
1) Install a Web Interface server in our DMZ and open the relevant ports so the
WI can access the Citrix Servers on the Internal Network
2) Use a Cisco VPN device (we cannot use CSG or Access Gateway) which is our
company standard to connect in. Once authenticated, users would access the Web
Interface and Citrix farm on the internal network (no DMZ changes required).
I needed to understand the ports / issues associated with making such a change
Angela
Date: Mon, 25 Feb 2008 21:38:57 +1000
From: ulrich.mack@xxxxxxxxx
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Web Interface - login process
Hi Angela,
The very best explanation of how web interface works has got to be the doco
that comes with the web interface SDK. Download that from the CDN site and
you'll know it all ;-)
Web interface "talks" to only 2 external entities, the secure ticketing
authority (STA) and the XML service of a Citrix server. The STA functionality
is now also provided by the XML service (CPS 4.X) so port 80 to one or more
Citrix servers is all you need for web interface (WI). The Zone data collector
is a good first candidate, but you'd be sensible to list more than one server
in the WI farm list. User authentication is via the XML service of the Citrix
servers.
If we're talking about internal and not WAN Citrix clients, then you need ports
80 (optional) and port 1494 or 2598 for ICA if you've got session reliability
enabled. External client access should either be using an SSL VPN, Secure
gateway or Citrix Access Gateway appliances.
Addressing your list directly in terms of firewall rules:
1) Client - Web Interface - Port 80 - yes, internal ONLY, otherwise use 443
(plus CAG/CSG etc) for security
2) Web Interface - Active Directory (AD on internal network) - not sure what AD
ports need to be opened - no
3) Active Directory - Web Interface - no
4) Web Interface - Zone Data Collector - Port 80 - yes, could be encrypted if
WI in DMZ
5) Zone Data Collector - Web Interface - Port 80 - no
6) Web Interface - Client - Port 80 - no
User launches Published App
7) Client - Web Interface - Port 80 - yes but only internal. DON'T allow access
without CSG/CAG etc
8) Web Interface - Client - Port 80 - no
8) Client - Citrix Presentation Server - Port 1494 - yes or 2598 (session
reliability) but only internal
I repeat, there is absolutely no good reason for putting WI in the DMZ in a
private LAN/WAN scenario, unless you want to secure yourself against external
users. And if that's the case, use a VPN appliance, CSG or CAG so you've got an
SSL-secured front end to WI.
regards,
Rick
On 2/25/08, Angela Smith <angela_smith9@xxxxxxxxxxx> wrote:
Hi
Ive been tasked to document the Web Interface communication in our environment
and the ports that need to be opened between our DMZ and internal network. Im
looking at installing a Web Interface in our DMZ which will access our Citrix
Farm on the internal network. I need the Web Interface to authenticate against
Active Directory. This is what Ive got so far and I was hoping someone could
crosscheck or point me in the right direction.
1) Client - Web Interface - Port 80
2) Web Interface - Active Directory (AD on internal network) - not sure what AD
ports need to be opened
3) Active Directory - Web Interface
4) Web Interface - Zone Data Collector - Port 80
5) Zone Data Collector - Web Interface - Port 80
6) Web Interface - Client - Port 80
User launches Published App
7) Client - Web Interface - Port 80
8) Web Interface - Client - Port 80
8) Client - Citrix Presentation Server - Port 1494
A few questions:
1) Is the above correct?
2) When a user launches a Published App, is the client talking 1494 direct to
the Citrix Presentation Server? Is the communication going through the Web
Interface or is it direct from client to the Citrix Server? Therefore does
1494 need to be open to the client or is it 1494 from Web Interface to Citrix
server only?
3) If the client is using JAVA does this still talk 1494 direct to the Citrix
Farm or is it a different port?
Im trying to document the above login process and would appreciate any
assistance or direction.
Thanks
Angela
_________________________________________________________________
Overpaid or Underpaid? Check our comprehensive Salary Centre
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fcontent%2Emycareer%2Ecom%2Eau%2Fsalary%2Dcentre%3Fs%5Fcid%3D595810&_t=766724125&_r=Hotmail_Email_Tagline_MyCareer_Oct07&_m=EXT************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
//www.freelists.org/list/thin
************************************************
--
Ulrich Mack
www.commander.com
_________________________________________________________________
Overpaid or Underpaid? Check our comprehensive Salary Centre
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fcontent%2Emycareer%2Ecom%2Eau%2Fsalary%2Dcentre%3Fs%5Fcid%3D595810&_t=766724125&_r=Hotmail_Email_Tagline_MyCareer_Oct07&_m=EXT
Other related posts:
