Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Secure Gateway finding domains question

Status
Not open for further replies.
rayzze

rayzze

IS-IT--Management
Sep 17, 2002
64
0
0
US
I have a Citrix Secure gateway/Web Interface 2.0 server that allows access to 5 different farms with users in 4 different domains. When the web interface needs to check your domain logon credentials how does it select the server that will query the domain? The Web Interface is in the DMZ so it has no way to do the work itself so I know that it must forward on the request to a Metaframe server.

Now to the real problem: I had a situation today after adding a new farm to the web interface be administered to, one of my domains users couldn't authinticate through the web interface, all other domains users could log on through the gateway fine. As soon as I removed the information for the new farm from the list of administered farms everything was normal again. The domain that houses the new farm I added doesn't have a trust relationship with the domains users that were getting the credentials are invalid error. Without knowing the process WI uses to check user credentials I feel a bit unsecure about my secure gateway...

Any help or just places to look would be greatly appreciated.
 
Sort by date Sort by votes
The authentication should be bounced through to the citrix server you are enumerating from.
 
Upvote 0 Downvote
Yes that is true, but I was hopeing to get a better view as to how the server is chosen to do that enumeration... When the web interface is managing several farms how does it choose which server in which farm will be used to provide the "bouncing" of the credential information. I would have assumed that the top farm listed in Wiadmin would be the one asked but that doesn't seem to be the case.

Thanks for replying!
 
Upvote 0 Downvote
If anyone was curious here is the answer I got from the Citrix forum...

For each farm, you can list multiple XML brokers. If the "Use list for load balancing" box is not checked, then WI will always use the first server for all XML communication (unless it fails, then it tries the next one on the list, and so on). If load balancing is enabled, then WI rotates the list in a round-robin fashion for each request.

When aggregating multiple farms, WI must send the user credentials to an XML service in each farm. (This is why your logins were failing when the new farm came from a non-trusted domain.) The list of MetaFrame XML services and the load balancing option is configured separately for each farm. User credentials submitted to WI must be valid in all farms.

To aggregate applications from multiple farms in multiple non-trusted domains, you must use Web Interface Extension or MetaFrame Secure Access Manager.

JayT
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mattmontalto
  • Locked
  • Question
MS Threat Management Gateway Alternative
Replies
0
Views
59
mattmontalto
mattmontalto
arell12
  • Locked
  • Question
Secure Gateway and MS Threat Management Gateway
Replies
0
Views
47
arell12
arell12
BbkKnight
  • Locked
  • Question
How to Add a Disclaimer to the Access Gateway Enterprise Edition
Replies
0
Views
42
BbkKnight
BbkKnight
spi200
  • Locked
  • Question
CSG and RSA secuid question
Replies
0
Views
42
spi200
spi200
said07
  • Locked
  • Question
Terminal services licensing question
Replies
1
Views
56
arell12
arell12

Part and Inventory Search

Sponsor

Back
Top