Citrix Authenication

[Bleucube]

I'm in the process of creating an authenication diagram for a new Citrix installation. I'm trying to minimize the amount of passwords users will need to actually start using the application. Half of the users will be using VPN to gain access to Nfuse. Currently it seems they will need the following passwords:

1. Network Login
2. Firewall Login
3. Citrix Login
4. Application Login

We run a Netware network but the users who will be using a VPN have an MS network. Some thoughts I had were the following:

1. User at remote login's log's onto their network
2. Double click's icon to access shortcut to nfuse
3. Their firewall checks it out and routes it via tunnel, encrpted. It hits our firewall, our rules check it out, decrypts it, uses LDAP against our Domain Controller (need to create one) and allows the user to see the NFUSE.
4. User then get's the Application via Active X control and then log's into the Application.

In this case there are only 2 passwords
1. Network
2. Application

I'm not sure if that is the best method. Would it be better to have a radius server between the firewall and the Domain Controller?

On the netware side, I'm thinking to use DirXML to synch the MS Accounts with our NDS to have a single point of administration.

What do you use? How do you have it setup?


Thanks - Appreciate the Input!