Nfuse with SSL 1

[june1980]

We need to get a app out to our customers, and we want to do it with 128bit SSL encryption. Here's the deal; I've never used that before. What could ya'll tell me about this? Can you point me to a PDF somewhere?

I could use anything you've got on securing Nfuse.

 

[KCDave03]

are you implementing NFuse on Windows or Unix?

 

[june1980]

On windows 2k sp3 running Citrix fp1. Sorry, should have included that to begin with.

 

[KCDave03]

I can tell you that you will need to obtain a digital certificate from Verisign or some other verification source and register that certificate within IIS and the FQDN with an Internet host authority. I think you can download an IIS lockdown tool from Microsoft.

 

[bran2235]

You can also use your own "Private Certificate Authority".. just make sure to give the Root Certificate to your customers... Public CAs can be costly. But, it all depends on the number of customers you need to give the certificate to...

Hope this helps some...
Brandon

 

[june1980]

Cool, doing google searches and finding stuff out based on what you guys are telling me. Thanks!

However, does anyone know how to generate your own public/private certs?

Thanks again!

 

[bran2235]

You can create a Private CA- Have to be on a

http://www server

running the certificate service (add/remove pgms, windows components)... The CA will generate your root and server certificates.

Then you have to download the cert to the PCs and/or Servers that will use them by going to

http://servername/certsrv.

where servername is the FQDN of the server running the certifcate services,

TO INSTALL THE SERVER CERT--
Click Request a cert. and then next;
Click Advanced request and click Next;
Click Sumbit a certificate request to this CA using a form and click next;
Select Web Server from the drop-down list beneath the Certificate Template region;
Type the FQDN of the server in the name field;
Scroll to Key Size Field and type 1024;
Select use local machine store;
Click Submit to generate the Server Certificate-
Click INSTALL THIS CERTIFICATE

------------------------
TO INSTALL ROOT CERT ON PC
Launch IE and tpe

http://servername/certsrv

where the servername is the server running the cert. services;
Select Retrieve the CA certificated or certificate revokation list and click NEXT;
Download the CA Cert. link;
Save it;

------
Hope this helps-
Brandon

 

[june1980]

Thanks lots everyone! I should be able to take it from here!

 

[bigpapapump]

I'm running ICA clients and not publishing apps.

Can I still create and use the Private Certificate method desribed above to tighten up my security or do I need to approach it a different way?

Does running the Certificate service use a lot of resorces or can it be run on almost on serevr?

TIA

 

[bran2235]

On any server should be ample...
I would download the IIS lockdown tool (like KCDave suggested) too!

Brandon

 

[bigpapapump]

Thanks Bran!

I'm using ICA Client 7.0, Can I still create and use the Private Certificate method desribed above to tighten up my security or do I need to approach it a different way?

 

[bran2235]

Yes. Actually, the two (ICA ver and your Private CA) really don't have anything to do w/ one another...

Hope this helps.

 

[bigpapapump]

cool - thanks!

 

[bigpapapump]

I guess I'm in over my head here. I'm not planning on using NFuse just the Private Certificate Authority.

Is it as simple as Bran's steps above on the server and client side for the client that's configured to connect to that server via Citrix or is there something I need to implement on the Citrix side?

I'm running MF XP sr3 on Win2k sp4 with about 30 users.
It seems to easy.

 

[bigpapapump]

Can I just use the Private CA with a standard Citrix setup to tighten up security a bit?

Seems pretty straight forward on setting up the server and clients.