Ctx lose money per cag device was a story I heard .. so VMs make sense to the vendor; I doubt there'll be a massive pass on in savings to the user. ..and 'stick you xenserver vm image in the DMZ' means (potentially) you've got to put a physical device in the DMZ to host the VM... so you've not really "saved" on a device and now you've got a virtual host(s) OS & HW to update and maintain not just the CAG Of course, moot if you've already got the kit there -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Warren Simondson Sent: 25 August 2009 23:57 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: speaking of security nazis One thing to note on the pricing and pluses of a CAG - very shortly the CAG's will be available and supported as a Virtual device, meaning that the price 'apparently' will be more affordable becasue you won't be buying the hardware device anymore, just the Xenserver VM image and the Licenses. So you can stick your Xenserver in the DMZ and have the CAG available. CAG EE like the 7000 series also have the benefit of HA. There not that hard to set up butthey can take a little while to get right, especially with all the new firmwares being release over the past 6 months. -- Warren Simondson Ctrl-Alt-Del IT Consultancy Pty Ltd Website: http://www.ctrl-alt-del.com.au On Wed, Aug 26th, 2009 at 1:04 AM, Greg Reese <gareese@xxxxxxxxx> wrote: > SSL encryption is SSL encryption regardless of whether it comes from > the CSG > or the CAG. The CAG is a hardware appliance and has some other > goodies and > toys in it. But for proxying incoming connections to your protected > Citrix > farm, the engine is the same. > > The CAG will give you some endpoinit policies that CSG does not. > Things > like no mapped drives if AV defs aren't current. You could (and > should) > craft a Citrix policy to deny mapped drives to external clients > anyway. > Encrypt XML. that sort of thing. > > On Tue, Aug 25, 2009 at 9:45 AM, Wilson, Christopher > <CMWilson@xxxxxxxxxxxxx > > wrote: > > > The AppSense conversation reminds me of something else I want to > bounce > > off you guys. > > > > > > > > I am working at a company now that places I high priority on > security - > > perhaps more than I'm used to. I'm planning a consolidation of > several > > Citrix farms, one of which resides a DMZ. A small subset of > business apps > > are hosted here (Office and files shares really), because it was > deemed too > > great a risk to provide access to the whole internal Citrix > environment. > > The security team believes Citrix Secure Gateway with single > factor > > authentication doesn't provide enough protection from external > attack and > > thus won't point it at internal farms. (This is foreign to me > since I think > > of this as a limited VPN, and they do have VPN access.) > > > > > > > > So here's where I'm interested in your input. Two-factor > authentication is > > not in the budget, so not an option. Is CSG that much of a risk > to merit > > this kind of concern? Is CAG sufficiently better to mitigate some > of this > > concern? How are others doing it? My own experience is that I've > seen lots > > of CSG, a little CAG, and two factor authentication primarily at > larger > > companies. > > > > > > > > I want to be able to roll this DMZ farm internal, and provide the > benefits > > of remote access for all apps they've been missing out on. But > I'll have to > > get past the security guys first. > > > ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin Follow ThinList on Twitter http://twitter.com/thinlist Thin List discussion is now available in blog format at: http://thinmaillist.blogspot.com Thinlist MOBILE Feed http://thinlist.net/mobile ************************************************ ************************************************ For Archives, RSS, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: //www.freelists.org/list/thin Follow ThinList on Twitter http://twitter.com/thinlist Thin List discussion is now available in blog format at: http://thinmaillist.blogspot.com Thinlist MOBILE Feed http://thinlist.net/mobile ************************************************