-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: David Lang [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 13, 2000 5:10 PM
>
> how do you setup Citrix to use two factor authentication?
>
> I am working on this now and after having both microsoft (terminal
> server) and Citrix reps in they have said that if you really need
> that sort of security run citrix through a VPN and do the
> authentication on the VPN.
As of today (at least as far as I know) this your options. Either use
a VPN or, if you are using/planning to use SecureICA, just open a
port on the firewall after successful authentication. I think the
SecureICA (128 bit encryption on the ICA protocol itself) and a port
opened after token authentication against the firewall is the
preferred method. A VPN would add overhead on the traffic. Running
ICA through IPSec performs pretty good, but don't use PPTP. Besides
the known vulnerabilities, the performance ... well... just plain
sucks...
I almost had Vasco rewrite their GINA (graphical logon interface on
NT) to be compatible with Terminal Server. That GINA is loaded to use
their tokens, especially the challenge/response based one (with the
flashing bar code on the screen). Works great on NT WS/S/SEE, however
under Terminal Server it behaved strangely. If you logged off, the
prompt wouldn't come back. You actually had to disconnect and perform
another step. This issue was due to the multi-user additions in the
GINA under Terminal Server.
I have not seen another token GINA that worked properly with Terminal
Server. If someone knows of a token vendor who supports TS, please
let me know, because that would be the holy grail. In that case you
could allow ICA connection to the Terminal Server without having to
authenticate on the firewall first. Without a token, you wouldn't get
in. This comes especially handy if you serve Terminal Server session
through a web page. Just open your browser, connect to your server,
authenticate with token to Citrix and you're in.... This remains a
dream of mine... sigh.
> the next best thing they have been able to say is to use the
> browser-based
> version of the client that authenticates to the weeb server
> (HTTP or HTTPS
> are supported) and implement strong authentication on the web
> server before access is allowed to the citrix URL.
Nope. As far as I remember, the client is loaded through the page
(Active X Control), but still established an ICA protocol session to
the Terminal Server. In other words, anyone with a client could hit
the port directly.
> 1. you are forced to use the browser based client, porrer
> performance then
> the full client from what I have been told.
Yeah, it's slightly better using the client instead of the web page.
> 2. I am nervous about letting port 1494 through becouse I don't
> fully understand how the authentication works between the web
> server and the citrix serve. The 'correct' way for things to happen
> is for the client to connect to the web server, authenticate, then
> connect to 1494, but what's to stop a hacker from hitting 1494
> directly and pretend that he has already authenticated?
Yup. Though the problem is not that hacker could spoof an active
session (SecureICA uses keys that are exchanged during setup), but
rather anyone could get to the Logon Dialog and try
username/passwords combos. This could result in a DOS is user
accounts are locked out after failed attempts. Furthermore, someone
might flood the ICA port, but then again, which port can not be
flooded...
> This is assuming that we use the strong encryption option for
> citrix or
> that would also be a problem.
Highly recommended.
What firewall do you have in front of the Terminal Server?
Regards,
Frank
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.
iQA/AwUBOW5iLERKym0LjhFcEQJlbQCfUNZnFfi8g71E81+Vl3mFie93RQsAniV5
IZ0ADi50ruYDrx3Mv1G51suE
=8HnY
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
