Security Infrastructure 1

[jhala]

I have set up my own environment with Metaframe XPa FR2, but it is not in an Active Directory environment, just NT. Currently, I am only using the ICA sessions to connect, however I have had NFUSE Classic previously working. Most likely it wasn't completely configured, ie XML Server, etc. Anyway, my environment works, I publish applications, clients can connect with an ICA session via TCP/HTTP, and I even added a server to my farm, but load balancing isn't working yet.
My customer wants to have a more secure Citrix Environment, and I have read about using the Citrix Secure Gateway and the Ticket Authority. I don't know which is the best way to set up a Citrix Environment, or even if it is better to use NFUSE instead of an ICA session. I'm sure that answer is different for every situation.
Here is a list of ways that I can see on how to set up a Citrix environment:

Server1 -> Server2 -> Server3 ......

ICA -> CSG -> Metaframe Server
ICA -> CSG -> STA -> Metaframe Server
ICA -> CSG -> IIS -> STA -> Metaframe Server
ICA -> CSG/IIS -> STA -> Metaframe Server
NFUSE/CSG/IIS -> XML Server -> Metaframe Server
NFUSE -> CSG/IIS -> Metaframe Server/XML Server
NFUSE -> CSG/IIS -> STA -> Metaframe Server/XML Server
NFUSE -> CSG -> IIS -> STA -> XML -> Metaframe Server
or
ICA -> CSG/IIS/STA/XML/Metaframe Server
NFUSE -> CSG/IIS/STA/XML/Metaframe Server

There may be other implementations that I am unaware of, but I want to know three things: Which is the best implementation, Which is the most practical, and Which is the most conservative or cheapest implementation where components can be combined to fit on one server even though it is not the safest configuration. I also heard that all components can be combined onto one server as long as the correct ports are opened and not overlapping.

Any insight into this infrastructure would be greatly appreciated.

Thanks
John

 

[citrix4ge]

>NFUSE instead of an ICA session.
NFuse (WebInterface) is just an Web enabled PN that delivers ica files.
You ALWAYS need an ica client.

>cheapest implementation where components can be combined
That would be:

Server1 with citrix CSG2.0/WI2.0/STA/IIS public cert.
Server2 Citrix MetaFrame with XML Service

ICA Client = 443==> Server1= 1494/80==> Server2

 

[xs4citrix]

Hi Thomas,

Going for second place here to

http://www.printingsupport.com

Free citrixprinting support

 

[Petje]

Must disagree on the cheapest implementation where components can be combined

>That would be:
>
>Server1 with citrix CSG2.0/WI2.0/STA/IIS public cert.
>Server2 Citrix MetaFrame with XML Service

Citrix advises to install the STA on a complete seperate machine. This for enhanced security....



Petje
A+, MCP, MCSE on NT4.0 and windows 2000 with messaging specialty and CCEA

 

[jhala]

Thanks everyone,

How about the configuration of:
ICA -> CSG/IIS -> Metaframe Server/XML Service

My customer is not interested in using NFUSE, so hopefully this configuration will work.

Thanks

 

[Petje]

CSG is the secure component to use with NFuse...

So why do dificult when you can use NFuse....



Petje
A+, MCP, MCSE on NT4.0 and windows 2000 with messaging specialty and CCEA

 

[jhala]

I've received feedback from other sites that I posted to, and this is what I compiled:

That it is possible to set up the environment with:
ICA -> CSGW/IIS -> Metaframe Server/XML Service
So this configuration requires only two servers and still offers security to my environment.

My customer doesn't want to use NFUSEn.
How about the scenario:
ICA Client with Root Certificate -> SSL Encrypted Data -> CSGW on port 443 with Server Certificate -> Decrypted ICA -> Metaframe(port 1494) and XML(port 80)

Where CSGW is in Relay Mode and doesn't use the STA, and acts as a Server Side Proxy Server.

The security hole in this scenario is the Metaframe Servers' address is visible to client devices.

Does that make sense?

Note: Most of this information was received from feedback of my other posts, so I can't take credit for all of this.

Thanks Again for the informative responses.