I should know more monday, but it appears as if Axent has a Gina that is
supposed to work with citrix to do the token based authentication.
If it works I will probably have it installed (and hopefully working) by
tuesday.
David Lang
On Thu, 13 Jul 2000, Frank Knobbe wrote:
> Date: Thu, 13 Jul 2000 19:43:25 -0500
> From: Frank Knobbe <[EMAIL PROTECTED]>
> To: 'David Lang' <[EMAIL PROTECTED]>,
> Frank Knobbe <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: RE: Citrx Metaframe/NT4-TSE
>
> > -----Original Message-----
> > From: David Lang [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, July 13, 2000 5:10 PM
> >
> > how do you setup Citrix to use two factor authentication?
> >
> > I am working on this now and after having both microsoft (terminal
> > server) and Citrix reps in they have said that if you really need
> > that sort of security run citrix through a VPN and do the
> > authentication on the VPN.
>
> As of today (at least as far as I know) this your options. Either use
> a VPN or, if you are using/planning to use SecureICA, just open a
> port on the firewall after successful authentication. I think the
> SecureICA (128 bit encryption on the ICA protocol itself) and a port
> opened after token authentication against the firewall is the
> preferred method. A VPN would add overhead on the traffic. Running
> ICA through IPSec performs pretty good, but don't use PPTP. Besides
> the known vulnerabilities, the performance ... well... just plain
> sucks...
>
> I almost had Vasco rewrite their GINA (graphical logon interface on
> NT) to be compatible with Terminal Server. That GINA is loaded to use
> their tokens, especially the challenge/response based one (with the
> flashing bar code on the screen). Works great on NT WS/S/SEE, however
> under Terminal Server it behaved strangely. If you logged off, the
> prompt wouldn't come back. You actually had to disconnect and perform
> another step. This issue was due to the multi-user additions in the
> GINA under Terminal Server.
>
> I have not seen another token GINA that worked properly with Terminal
> Server. If someone knows of a token vendor who supports TS, please
> let me know, because that would be the holy grail. In that case you
> could allow ICA connection to the Terminal Server without having to
> authenticate on the firewall first. Without a token, you wouldn't get
> in. This comes especially handy if you serve Terminal Server session
> through a web page. Just open your browser, connect to your server,
> authenticate with token to Citrix and you're in.... This remains a
> dream of mine... sigh.
>
> > the next best thing they have been able to say is to use the
> > browser-based
> > version of the client that authenticates to the weeb server
> > (HTTP or HTTPS
> > are supported) and implement strong authentication on the web
> > server before access is allowed to the citrix URL.
>
> Nope. As far as I remember, the client is loaded through the page
> (Active X Control), but still established an ICA protocol session to
> the Terminal Server. In other words, anyone with a client could hit
> the port directly.
>
> > 1. you are forced to use the browser based client, porrer
> > performance then
> > the full client from what I have been told.
>
> Yeah, it's slightly better using the client instead of the web page.
>
> > 2. I am nervous about letting port 1494 through becouse I don't
> > fully understand how the authentication works between the web
> > server and the citrix serve. The 'correct' way for things to happen
> > is for the client to connect to the web server, authenticate, then
> > connect to 1494, but what's to stop a hacker from hitting 1494
> > directly and pretend that he has already authenticated?
>
> Yup. Though the problem is not that hacker could spoof an active
> session (SecureICA uses keys that are exchanged during setup), but
> rather anyone could get to the Logon Dialog and try
> username/passwords combos. This could result in a DOS is user
> accounts are locked out after failed attempts. Furthermore, someone
> might flood the ICA port, but then again, which port can not be
> flooded...
>
> > This is assuming that we use the strong encryption option for
> > citrix or
> > that would also be a problem.
>
> Highly recommended.
>
>
> What firewall do you have in front of the Terminal Server?
>
> Regards,
> Frank
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
