It can be done many ways, the easiest of which is to open port 1494 through the firewall to the Metaframe/TS address. Definitely restrict traffic to only this address. Alternatively you may use NAT from the Outside allow traffic on 1494 and redirect to a new port internally. Citrix has a document on their site regarding changing the default port for client connectivity. This provides security through obscurity. Citrix uses a relatively weak encryption, Xorr (I think), if security is an issue invest in the Secure ICA add on pack, provides 128bit MD5 encryption. Also be sure the terminal server itself has been hardened, there are not any known exploits or overruns in the ICA protocol to my knowledge. The ability to control the user environment and access to information through terminal server is very powerful and when properly secured it is also extremely stable. I recommend against mapping drives and printers as this has always been an issue in terms of security riskd (Client drive mapping) and stability (Unregistered printer drivers, ie HP1100 LaserJet). Anyway from the perspective of the firewall, if your rule set limits traffic to only the terminal server and you change the default port, then the possibility for exploit are extremely small. >From the client if you type the Address:port it will override the default port of 1494 when it tries to connect, this is necessary if you remap the port or change it on the Citrix server.
Ken Claussen
[EMAIL PROTECTED]
"The mind is a terrible thing to waste!"
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, July 13, 2000 8:27 AM
To: [EMAIL PROTECTED]
Subject: Citrx Metaframe/NT4-TSE
Has anyone had experiences good or bad with passing Metaframe thru a
firewall?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
