[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Citrx Metaframe/NT4-TSE

To: "'Joseph_Lagomarsino@fwc.com'" <Joseph_Lagomarsino@fwc.com>, "'firewalls@Lists.GNAC.NET'" <firewalls@Lists.GNAC.NET>
Subject: RE: Citrx Metaframe/NT4-TSE
From: "Claussen, Ken" <kclausse@columbus.rr.com>
Date: Thu, 13 Jul 2000 11:25:28 -0400


    [ Part 1, Text/PLAIN (charset: ISO-8859-1 "Latin 1")  40 lines. ]
    [ Unable to print this part. ]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]


It can be done many ways, the easiest of which is to open port 1494
through the firewall to the Metaframe/TS address.  Definitely restrict
traffic to only this address.  Alternatively you may use NAT from the
Outside allow traffic on 1494 and redirect to a new port internally. 
Citrix has a document on their site regarding changing the default port
for client connectivity.  This provides security through obscurity. 
Citrix uses a relatively weak encryption, Xorr (I think), if security is
an issue invest in the Secure ICA add on pack, provides 128bit MD5
encryption.  Also be sure the terminal server itself has been hardened,
there are not any known exploits or overruns in the ICA protocol to my
knowledge.  The ability to control the user environment and access to
information through terminal server is very powerful and when properly
secured it is also extremely stable.  I recommend against mapping drives
and printers as this has always been an issue in terms of security riskd
(Client drive mapping) and stability (Unregistered printer drivers, ie
HP1100 LaserJet).  Anyway from the perspective of the firewall, if your
rule set limits traffic to only the terminal server and you change the
default port, then the possibility for exploit are extremely small. >From
the client if you type the Address:port it will override the default port
of 1494 when it tries to connect, this is necessary if you remap the port
or change it on the Citrix server.

Ken Claussen
kclausse@columbus.rr.com
"The mind is a terrible thing to waste!"


-----Original Message-----
From: firewalls-owner@Lists.GNAC.NET
[mailto:firewalls-owner@Lists.GNAC.NET]On Behalf Of
Joseph_Lagomarsino@fwc.com
Sent: Thursday, July 13, 2000 8:27 AM
To: firewalls@Lists.GNAC.NET
Subject: Citrx Metaframe/NT4-TSE


     Has anyone had experiences good or bad with passing Metaframe thru a
     firewall?

-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

Prev by Date: RE: Altavista Firewall 98 and ICMP
Next by Date: static nat
Prev by thread: Citrx Metaframe/NT4-TSE
Next by thread: Re: Citrx Metaframe/NT4-TSE
Index(es):
- Date
- Thread