Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Citrix through PIX firewall

Status
Not open for further replies.
chadd25

chadd25

MIS
Apr 26, 2003
2
US
We have been running Metaframe 1.8 for a couple of years now and have been fairly happy with it. We recently purchased a new server and are rolling it out to users. It is a Dell PE with (2) 2.8 ghz Xeon's and 4 GB of RAM. We are running MF XPa FR2 on it.

We have guys in the field that are running CDPD modems in their laptops. They come down a 56K frame and connect to the old MF 1.8 server currently. We are replacing the CDPD modems with GPRS modems. I have set up a test user using the GPRS modem to come in through our internet connection through our firewall. We have a PIX 515 firewall.

They first create a VPN connection to the PIX with Ciscos VPN client and then launch program neighborhood. It is somewhat sluggish though. Slower than the CDPD's coming down the frame. Our internet connection is 512K. I believe the VPN is taking up a lot of bandwidth.

Is there a way I can open up certain ports on the firewall so I do not need to create the VPN? Are there specific command line examples that I can use on the PIX? How vunerable will I be if I just open up ports for ICA communications?

Any help appreciated.

Thanks,
Mike
 
Sort by date Sort by votes
If you do not want the VPN, you'll need to have port 1494 unblocked on your PIX, and that port will need to be fowarded to your Terminal Server. I assume you have a Cisco router to go with the PIX? The security risk is simple... Anyone with a ICA client will have the ability to get to a login screen. If your server is frequently patched with security updates, and you have a good password schema, you should be pretty safe. You might want to review your account lockout policies for failed login attempts, this will protect you from someone hacking in with an automated script.

As for specific PIX commands, just hop on google, or post this in a Cisco forum. They're really just unix commands, but I don't do them often enough to remember them.

Matt
 
Upvote 0 Downvote
Or you could use Citrix Secure Gateway, which acts as a kind of secure VPN for Citrix products only.

Hope this helps

CitrixEngineer@yahoo.co.uk
 
Upvote 0 Downvote
Once you have opened Port 1494, as stated in another replied posting , you will be abkle to see your citrix server.
to enhance security at this point you can get your users to use a smart card or something to that effect. This is a device that genereates a different secure password each time the user logs on. This password is authenticated at the server before allowing a logon to the server to start.
I have used these before to great effect. Many smart cards are built to work specificly with Citrix.
 
Upvote 0 Downvote
You could also use Secure Computing's Safeword for Metaframe product - users get a token that generates a unique passcode which is used in combination with their username and password (for about £70 per user). Integrates with CSG/NFuse.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DreemaGurl
  • Locked
  • Question
Can't log on to Citrix through emote access portal
Replies
1
Views
262
ntinlin
ntinlin
damienenglish
  • Locked
  • Question
Citrix Replication Fault Detection
Replies
0
Views
105
damienenglish
damienenglish
MattRoche
  • Locked
  • Question
Citrix Receiver Pass-through Authentication on Wyse C90LEW terminal
Replies
0
Views
67
MattRoche
MattRoche
Hfnet
  • Locked
  • Question
Office 2010 KMS stoppped working on PVS Citrix
Replies
0
Views
82
Hfnet
Hfnet
dpsmith
  • Locked
  • Question
Citrix Policy disappears?
Replies
0
Views
76
dpsmith
dpsmith

Part and Inventory Search

Sponsor

Back
Top