Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Secure Gateway security

Status
Not open for further replies.

pinkpanther56

Technical User
Jun 15, 2005
807
GB
We are a college and have a Cisco firewall installed that is managed by our ISP, they will soon be forwarding port 443 to an internal IP address that will host our Citrix 4.5 secure gateway. I'm looking for some advice on what security issues may be presented by this and what lockdown procedures i should take on this box.

I assume having just this one port available should make it quite difficult to compromise the box?

The box will be running Windows 2003 SP2.

Thanks for any advice.
 
Hi
Secure Gateway is used to allow secure traffic between the presentation server and the client and to protect your internal secure network from attacks from the internet.
Normally you would place the Secure Gateway server together with the Web Interface server in a DMZ either with both on the same server or as separate servers. This way you can open up just port 443 from the Internet to the Web Interface and CSG in the DMZ and then allow port 80, 1494 and 2598 (if using session reliability) traffic to your secure internal network only from the CSG server.
This pre-installation checklist may be helpful with what you need to think about

/Hof
 
Hi thanks for the reply. As our IPS managed firewall is not on site we don't actually have a DMZ the firewall is hosted at the other end of our SDL connection this then connects through a local Cisco router onto our network. I suppose in this instance that i'm limited to best practices for securing the CSG server?

Is that how you would see it?
 
I guess so. As you wrote you will have to open port 443 from the internet to your secure network but limit that to only the CSG server and secure that server as much as you can. Even if it is not ideal from a security point of view it should be OK i think. Any other opinions anyone?
/Hof
 
Well for now we have installed a 2003 server as just a member server then configured the Windows firewall to only allow incoming traffic on port 443 no Ping or anything else. Any incoming traffic from the ISP can only go to that IP address. I suppose that's the best we can do for now.

I'm hoping to get the goahead to purchace a cheap firewall router to put between this and our main network to fashion a DNZ.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top