We're actually in pilot/production (depending on who you ask) on an almost
identical implementation. Two firewalls, two web servers, SecureID, and two
Citrix servers.
The architecture is as follows, from top to bottom:
<internet connection>
|
<firewall A>
|--------<webserver A>
<firewall B>
|
|--------<webserver B>
|--------<ACE/Server (securID)>
|--------<citrix A>
|--------<citrix B>
Firewall A: performs basic firewalling
Webserver A: provides starting-point website and a link to the second
webserver, which will force client auth
Firewall B: performs basic firewalling, plus client auth via SecurID
Webserver B: provides .ICA files for launching the citrix sessions
ACE/Server: provides authentication services
CitrixA, CitrixB: load balanced server farm with published applications
If you don't use SecureICA, you can auto-install the ActiveX plugin for
embedded applications. If you use SecureICA (use 128-bit if you can), the
users must manually install the ActiveX plugin. (the Netscape plugin must
always be manually installed).
We have packaged the SecureICA ActiveX plug-in (along with some other
client-side stuff that we need) using the Wise Installer, so it's
relatively easy for the users to install it manually.
For what you're doing, SecureICA is fine. No need for other client-side
stuff (i.e., CP SecuRemote) unless you don't even want to advertise the
fact that you're running Citrix (traffic on ports 1494 and 1604 is a dead
giveaway) to someone sniffing your traffic.
Dave Grabowski
System Arts, Inc.
(212) 604-9015 x316
[EMAIL PROTECTED]
Peter York <[EMAIL PROTECTED]>
Sent by: To:
"'[EMAIL PROTECTED]'"
[EMAIL PROTECTED]
<[EMAIL PROTECTED]>
kpoint.com cc:
Subject: [FW1]
SecureICA?
06/09/2000 04:34 AM
My client wishes to use a thin client solution for delivering their
applications. Therefore the plan is to have 2 firewalls between the public
and private network with the application server sitting in a DMZ.
On the public firewall configure a SecureID Client - ACE Server located in
the DMZ
Then we can deliver the application through SecureICA (Active X 56bit
encryption) Client (To my limited security knowledge this is the equivleant
of a VPN for ICA only without the overheads!).
Can anyone with any knowledge please comment on my solution plus any
further
recommendations they may have (Encryption, Certificates, etc ...)
The theory is : if I use SecureICA rather than a firewall client then the
deployment will be simplified as the ActiveX SecureICA client will
download,
as far as I know there are no VPN ActiveX/Java clients??
Any thoughts (particular with regard to any security implications )?
Regards
Peter York
Technosys Ltd
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
