"That is technically true but not 100% accurate" Somehow this reminds me of the joke about a plane flying around a Microsoft hi-rise. Pilot yells to someone in the building "I'm lost, can you tell me where I am?". Reply: "In a plane" Technically true but not real useful.
From: Webster [mailto:[email protected]] Sent: Wednesday, January 11, 2012 9:14 AM To: NT System Admin Issues Subject: Re: IIS 6.0 Security That is technically true but not 100% accurate. While you CAN set the license server at the farm level (which is preferred), you CAN also set each server to use its own license server (which is stupid IMNSHO). Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: James Rankin <[email protected]<mailto:[email protected]>> Reply-To: NT Issues <[email protected]<mailto:[email protected]>> Date: Wed, 11 Jan 2012 16:56:51 +0000 To: NT Issues <[email protected]<mailto:[email protected]>> Subject: Re: IIS 6.0 Security The License Server will be set in Farm Properties. Log onto that server and open the Licensing Console, then observe the version On 11 January 2012 16:43, Richard McClary <[email protected]<mailto:[email protected]>> wrote: Well, this is where I got stalled yesterday... First, my system is so old that it still says "Presentation Server", and it is 4.5. How does one determine the version of license server? In my assorted Citrix apps and consoles, I cannot find license server version information. If I go to the Windows control panel, "Add or Remove Programs", it claims Citrix License server is also 4.5 (like the rest of the Citrix pieces). Meanwhile, really soon plans call for nuking this server and setting up a brand new one - and making sure EVERYONE knows how to maintain it. Thanks again! -- richard From: Webster [mailto:[email protected]<mailto:[email protected]>] Sent: Wednesday, January 11, 2012 9:35 AM To: NT System Admin Issues Subject: Re: IIS 6.0 Security Use either license server 11.6.1 or better 11.9. 11.9 may require you to return, reallocate and re download your license file(s). But that is a 2 minute project at worst. 1.9 is required for XenApp 6.5 and XenDesktop 5.5 (and maybe 5.0) as Citrix has implemented new licensing features. 11.9 will read the old license files with no issues BUT if you need to use XenApp 6.5 or XenDesktop 5.5, you WILL need to redo your license file. The nice thing about Citrix license server 11.6 and higher is that it no longer requires Java or IIS. That removes a couple of security risks for you right there. There is a new 11.10 license server but I have not tested that. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Richard McClary <[email protected]<mailto:[email protected]>> Reply-To: NT Issues <[email protected]<mailto:[email protected]>> Date: Wed, 11 Jan 2012 15:21:44 +0000 To: NT Issues <[email protected]<mailto:[email protected]>> Subject: RE: IIS 6.0 Security Thanks! Those docs will be revised soon as TLS 1.0 has also been cracked. (My ancient server does not yet use TLS 1.1, which is currently still "secure".) Now to deal with the TLS Renegotiation... I found a Citrix patch (PSE450R06W2K3030). Now this is where inheriting a Citrix system comes to bite. That hot fix requires a previously release roll-up. That roll-up requires a new version of license server (I seem to remember 11.something). The page goes on to say the roll-up will work with older license server versions, but it will then make the hosted applications unavailable. NICE! From: Webster [mailto:[email protected]] Sent: Tuesday, January 10, 2012 4:58 PM To: NT System Admin Issues Subject: RE: IIS 6.0 Security The Citrix eDocs says if you are using SSL v3 you are not FIPS compliant. You have to use TLS 1.0. SSL/TLS and FIPS Compliance When configured properly, deployments using TLS 1.0 can use FIPS 140-validated cryptographic modules in a manner that is compliant with FIPS 140-2; SSL 3.0 is not FIPS compliant. For more information, refer to the Guidelines for the Selection and Use of the Transport Layer Security (TLS) implementations at http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ***** IMPORTANT INFORMATION/DISCLAIMER ***** This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress...... The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets At Home yesterday. We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
