To domain or not to domain...

[AjayM]

I'm in the process of upgrading a new server for use with Win2k and MF XP, this is going to replace our old NT4-TS/MF 1.8 server. Now our old server was setup and part of our internal domain for user accounts, everything else the system needs (databases, etc) is located in the DMZ area. I'd like to get away from that and basically have the system be standalone. Are there downsides to this? I'd like to cut the link between our internal network and our DMZ area and this one place where I could do it easily. But my familiarity of Citrix MF is currently lacking a little bit. Thoughts, ideas?

TIA
Andrew

 

[CitrixEngineer]

If I understand you right, then I agree on the first part - you should not keep databases in the DMZ area. The only servers in the DMZ should be bastion hosts. Don't forget that the whole point of a DMZ is that it's an area which the outside world can get to _without_ being able to access the LAN (but this depends on how your firewall and other security devices are set up). Many smaller organisations simply have a firewall/router setup with no servers at all in the DMZ. It depends how much public access you need to give.

As far as the Citrix server goes, you should treat it like any host on the network, since it is essentially a glorified client machine (to the databases, etc); All users should be authenticated to the domain, and put into global groups that are members of local groups on the Citrix server to access the resources.

What this boils down to, AFAICS, is not an understanding of Citrix MetaFrame per se, but an understanding of a terminal server's function.

I hope this is helpful CitrixEngineer@yahoo.co.uk

 

[AjayM]

Well I'll try and clear up a few items, first I inherited this network a couple of months ago with a new job, and it is setup in a way that I would never have done myself. For instance the current Citrix server is multihomed to both the external subnet and the nat'd lan subnet. The only reason was for the user accounts to have that "internal" connection and nothing else, there are no other resources on the LAN side that the Citrix machine needs or should have access to. The DB server is sitting in the DMZ area, but with our firewall we are denying all outside access to it (so only machines behind the firewall LAN/DMZ can access it), but it is only doing DB work for our production/public servers. Not the most perfect situation, but I can only change it slowly over time. As to the Citrix box and it's use, it is a service we provide for our customers to use software we develop, so basically we are using it in an ASP role, it isn't used for internal/employee use.

What I would like to do is to remove that LAN link on that machine, security wise it's a pain as it basically circumvents the firewall for LAN access, if that machine were to be compromised they basically have free access with a minimal amount of hassle.

I already know that it's going to be a little more work on my side with user account's and such, although duplicate accounts between it and the domain will be fairly minor considering it's use.

Hope that clears some items up, and thanks for the info.

Andrew

 

[CitrixEngineer]

This looks like a job for CSG and NFuse (the boy wonder...?) ;-) CitrixEngineer@yahoo.co.uk