Firewall Wizards mailing list archives
RE: OWA and Risk Assesment
From: "Simon Graham" <Simon.Graham () lvs1 com>
Date: Tue, 3 Dec 2002 23:08:44 -0700
It is worth noting that Citrix has its own proprietary gateway and ticketing service called Citrix Secure Gateway (CSG) that it uses to authenticate sessions and proxy sessions on port 443 for connection to backend Citrix Metaframe servers listening on TCP 1494 (ICA). In essence: 1) A user connects to a portal server (Citrix Nfuse on port 80 or 443) using user credentials (plus SecureID if required). 2) After login the request is passed to a proprietary ticketing authority and a ticket is generated. If authentication is successful half of the ticket is returned to the client and the other to the CSG server. At the same time the Metaframe farm is queried for apps accessible to the user and using JAVA script a web page is created on the fly and returned to the user. 3) Once the user clicks on an app icon an ICA file containing info about the app and connection is generated to allow connection on 443 to the CSG server. 4) At the CSG server the halves of the tickets are compared and if they match the CSG server proxies the connection to the Metaframe farm via ICA. All connections from the external network(s) can use SSL and thus only 443 needs to be opened to the Nfuse Portal and the CSG servers sitting in a DMZ. Port 80 needs to be open from the portal in the DMZ to Metaframe (ICA) farm on the internal network. ICA (1494) needs to be open from the CSG box in the DMZ to the Metaframe (ICA) farm on the internal network. I am told that the port 80 connections will be replaced with SSL ability in the next release. Not perfect but an interesting approach. The Portal and CSG software is available for WIN2K and Solaris. -----Original Message----- From: David Lang [mailto:david.lang () digitalinsight com] Sent: Monday, December 02, 2002 11:23 AM To: Volker Tanger Cc: adreyer () math uni-paderborn de; kronos () datastreamcowboys net; firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] OWA and Risk Assesment no it doesn't (you can proxy it with a circuit proxy, but it's not an application specific proxy) ICA is easier to administer then OWA specific ports and is therefor less likly to be misconfigured, in addition you only have the citrix vunerabilities to worry about, not IIS vunerabilities (many fewer bugs discovered, if only becouse it's a smaller target) all of this makes ICA seem more secure to let through a firewall then all the OWA ports. David Lang On Mon, 2 Dec 2002, Volker Tanger wrote:
Date: Mon, 02 Dec 2002 14:37:53 +0100 From: Volker Tanger <volker.tanger () discon de> To: adreyer () math uni-paderborn de Cc: kronos () datastreamcowboys net, firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] OWA and Risk Assesment Greetings! Achim Dreyer wrote:btw: Does anybody know of any ICA ord RDP proxy application ?If I remember correctly (haven't worked with it for a while) Symantec Enterprise Firewall (=Axent Raptor) has a ICA proxy. Bye Volker Tanger IT-Security Consulting -- discon gmbh WrangelstraĆe 100 D-10997 Berlin fon +49 30 6104-3307 fax +49 30 6104-3461 volker.tanger () discon de http://www.discon.de/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- OWA and Risk Assesment kronos (Dec 02)
- Re: OWA and Risk Assesment Achim Dreyer (Dec 02)
- Re: OWA and Risk Assesment Volker Tanger (Dec 02)
- Re: OWA and Risk Assesment David Lang (Dec 02)
- Re: OWA and Risk Assesment Volker Tanger (Dec 02)
- <Possible follow-ups>
- RE: OWA and Risk Assesment Simon Graham (Dec 04)
- RE: OWA and Risk Assesment Eric L Budke (Dec 04)
- RE: OWA and Risk Assesment David Lang (Dec 04)
- Re: OWA and Risk Assesment Achim Dreyer (Dec 02)