Firewall Wizards mailing list archives
RE: VPN: Citrix IPSEC experiences?
From: "Claussen, Ken" <Ken () kccweb com>
Date: Sat, 26 Jul 2003 00:15:00 -0400
These are two entirely different products and each serves it's own purpose. The Cisco VPN Client is different than the Cisco IOS IPSEC. Use this for access to your entire LAN remotely. For Citrix the situation is abit different. First for secure external access as of Metaframe XP the best way is to use Citrix Secure Gateway(CSG). CSG is essentially a SSL Citrix ICA Proxy. It provides a secure connection to the Web server which can be placed in a DMZ. Then restricted access is allowed to the Metaframe Server. This also requires you to run a Secure Ticketing Authority (usually on the Metaframe server itself). Meaning port TCP 1494 and whatever port you choose to run the STA on must be open. This also requires a Public NFuse server for authentication prior to the connection to the CSG server. In your NFuse admin tool you can specify that users can automagically download the Web client. This works only if they have local admin rights (unless they changed this recently). There is considerable administration too, although it is centralized and controlled through Group membership. Each has their place. I think you would find a NFuse (W/SSL) CSG, Citrix Published Application farm provides controlled access for 90% of your users. It is the other 10% which have greater needs which will likely still need something like the VPN client. Does the Nortel act as a VPN concentrator? Cisco has a VPN 3005 ($3000) which will support 100 clients and NAT Traversal. HTH. Ken -----Original Message----- From: Darden, Patrick S. [mailto:darden () armc org] Sent: Friday, July 25, 2003 3:39 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] VPN: Citrix IPSEC experiences? Is anyone using a Citrix IPSEC product with any luck? The documentation I found makes it look compatible only with Win9X (ICA client) and NT 4.0 (Extranet Server). Plus, no NAT-traversal, no ICSA certification, and no compatibility with other IPSEC clients nor servers. We currently use Nortel Contivity Extranet Switches and Cisco's IPSEC IOS with no problems; however, a coworker remarked that using Citrix's solution would be a lot easier--no client setup, no administration, etc. What are peoples' experiences? Thanks, --Patrick Darden _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN: Citrix IPSEC experiences? Darden, Patrick S. (Jul 25)
- <Possible follow-ups>
- RE: VPN: Citrix IPSEC experiences? Claussen, Ken (Jul 26)