[FW1] Citrix MetaFrame XP with NFuse and port 1494

Fri, 22 Jun 2001 00:27:52 -0700 


We are testing out Citrix MetaFrame XP and using their NFuse web
interface.  The beginning connections by the user are all done through
the web interface, and can be secured via SSL, but the last piece goes
directly from the client on the Internet to the MetaFrame server and no
longer routes through the web front end, so it is no longer using SSL
for encryption.  This requires opening port 1494 directly to the
MetaFrame server.  Citrix can use up to RC5 128-bit encryption for the
communication going over 1494 Citrix's ICA protocol.

It works basically like this.

1. User hits web site and logs in (encrypted via SSL) ICA client can be
installed over the web at this time
2. Web site passes user information to Citrix Server (can be encrypted
via Citrix's SSL relay)
3. Citrix server passes to web server list of published apps that user
can access (can be encrypted via Citrix's SSL relay)
4. Web server generates page with links to the publish apps which it
sends to the web browser (encrypted via SSL)
5. User clicks on desired app, which send a request for an ICA file to
the web server (encrypted via SSL)
6. Web server puts in info specific to user and sends ICA file back to
browser which is passed onto the local ICA client (encrypted via SSL)
7. The ICA client receives the file and initiates a session directly
with the Citrix server (encrypted via RC5 128-bit)

What security issues should I be aware of when setting this up?  Are
there any know vulnerabilities on port 1494 that I will be exposing my
network to?  

As I see it, it seems that this is fairly similar to accessing data
through a web interface encrypted with SSL, it is just going over a
different port and using a different encryption algorithm.

Am I missing anything here?  Should I be worried about setting up a
configuration of this type?

Thanks for the help.

_______________________________________
Rick Camp
Senior Consultant
Welsh Consulting, Inc. 
31 Milk Street, Suite 805 
Boston, MA 02109 
617-695-9800 Tel 
617-695-0350 Fax 
[EMAIL PROTECTED] 
www.welsh.com



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to