-----BEGIN PGP SIGNED MESSAGE-----
how do you setup Citrix to use two factor authentication?
I am working on this now and after having both microsoft (terminal
server) and Citrix reps in they have said that if you really need that
sort of security run citrix through a VPN and do the authentication on the
VPN.
the next best thing they have been able to say is to use the browser-based
version of the client that authenticates to the weeb server (HTTP or HTTPS
are supported) and implement strong authentication on the web server
before access is allowed to the citrix URL.
this can be done but it has drawbacks.
1. you are forced to use the browser based client, porrer performance then
the full client from what I have been told.
2. I am nervous about letting port 1494 through becouse I don't fully
understand how the authentication works between the web server and the
citrix serve. The 'correct' way for things to happen is for the client to
connect to the web server, authenticate, then connect to 1494, but what's
to stop a hacker from hitting 1494 directly and pretend that he has
already authenticated?
This is assuming that we use the strong encryption option for citrix or
that would also be a problem.
David Lang
On Thu, 13 Jul 2000, Frank
Knobbe wrote:
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 13, 2000 1:09 PM
> >
> > If the Windows TSE box is configured and secured properly
> > after the Citrix
> > MetaFrame Server is successfully installed, it is not as
> > vulnerable as one
> > would suspect.
>
> Keep in mind that you don't have to go to extremes with Citrix like
> you have to do with, say, web servers, unless you rent Apps on that
> box to the public (as in ASP). Public web servers are accessible by
> everyone. Citrix by default is too since anyone can use the Citrix
> client, connect to the server and start guessing usernames and
> passwords. However, if to restrict the access on the protocol level
> with tokens (two factor authentication devices, OTP's and whatever
> other acronym there is for it), you only have to maintain the same
> level of security that you require on your server inside your
> network. Users will need to authenticate with the tokens in order to
> get through the firewall or tunnel before their packets actually hit
> the Citrix box, which weeds out folks on the Internet that don't have
> a token and the access it authorizes.
>
> There is still security work that one needs to do, such as securing
> user profile directories, setting decent Advanced User Rights, etc.
> However, if you can restrict ICA protocol access to only trusted
> individuals (read your users, trusted to some extent at least :), you
> don't have to fight such a huge battle.
>
> Does that sounds confusing?
>
> Regards,
> Frank
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQEVAwUBOW4+UT7msCGEppcbAQGfhwgAxKgNHdTc1bmMe9IgW/KNzj48KQZyFR9A
q9gMrtMHRUKurDHHULA5KnLgoqDzJZmf57eGBo4xpljMTI4FJvr0ApF/xcf+q+nE
6NQgaxw3i0XIFPjrrEvTDjKrAJm1t/gHtJWSjmU3XcFpTJ8IKSMt71K+7oUhENF2
EnF8YHoic5zwYSq+Faoj4IVnrov1OB/IdLE2pQh9N9WqBh3fH5YUninpmT8bFRie
zk3UBjnBie3fZr+KYexW9US1v8LlXS+ywrptn97Etrnwu8QdfWafFe8QTISXK38w
Bgim0mL76OkYjY2r/3iPAiOsvtIUlAUNvof08F6lS0fIBRC1cLqGdg==
=cc/o
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
