Reverse Proxy and Secure Gateway? 1

[rayzze]

Does any one know why I would need Secure Gateway when I already have a reverse proxy in my DMZ? I want to implement external access to an internal NFUSE 1.8 or WI server. Can't the reverse proxy just handle the communications between the client and my internal web server then just serve up an embeded application (Java client) connection to the metaframe server?

Will this work?

 

[BeerGood]

The reverse proxy will help protect communications between the external client and the web server, but you would still need to open up port 1494 to allow communications between the external client (whether you're using the Java client or one of the other clients) and the internal Citrix server. By using a CSG you only need to open 443 (ie SSL) to the CSG, and 1494 from the CSG in the DMZ to your internal MetaFrame server.

Cheers

 

[rayzze]

That is exactly the info I needed. I thought for some reason that there was an embeded web client that would run in a browser window that could communicate over port 80 or 443 in this instance. But if they all require ICA 1494 then secure gateway is the best solution.

Thanks,

 

[BeerGood]

Yeah.... it's a bit tricky. NFuse displays the available published apps to clients via 80/443, and the java client is sort of embedded in a web page, but it still uses ICA 1494 to talk to the Citrix server. You can change the ICA client to run on any port you want, of course, but that's not going to help with the reverse proxy. The CSG does mean one more thing in your dmz (you could of course put it in the internal network, but ideally it should be in the dmz), but then again it will run on a number of platforms now, is free, doesn't cause a huge strain on what it runs on, and - more importantly - keeps the number of open ports down and helps protect the Citrix servers from external attacks.

Cheers