NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] Citrix MetaFrame XP with NFuse and port 1494


  • To: "Firewall Mailing List (E-mail)" <[email protected]>
  • Subject: [FW1] Citrix MetaFrame XP with NFuse and port 1494
  • From: "Rick Camp" <[email protected]>
  • Date: Thu, 21 Jun 2001 13:42:05 -0400
  • Sender: [email protected]
  • Thread-index: AcD6eXyII85PFZAMRhSWTuWaH5c/DA==
  • Thread-topic: Citrix MetaFrame XP with NFuse and port 1494

We are testing out Citrix MetaFrame XP and using their NFuse web
interface.  The beginning connections by the user are all done through
the web interface, and can be secured via SSL, but the last piece goes
directly from the client on the Internet to the MetaFrame server and no
longer routes through the web front end, so it is no longer using SSL
for encryption.  This requires opening port 1494 directly to the
MetaFrame server.  Citrix can use up to RC5 128-bit encryption for the
communication going over 1494 Citrix's ICA protocol.

It works basically like this.

1. User hits web site and logs in (encrypted via SSL) ICA client can be
installed over the web at this time
2. Web site passes user information to Citrix Server (can be encrypted
via Citrix's SSL relay)
3. Citrix server passes to web server list of published apps that user
can access (can be encrypted via Citrix's SSL relay)
4. Web server generates page with links to the publish apps which it
sends to the web browser (encrypted via SSL)
5. User clicks on desired app, which send a request for an ICA file to
the web server (encrypted via SSL)
6. Web server puts in info specific to user and sends ICA file back to
browser which is passed onto the local ICA client (encrypted via SSL)
7. The ICA client receives the file and initiates a session directly
with the Citrix server (encrypted via RC5 128-bit)

What security issues should I be aware of when setting this up?  Are
there any know vulnerabilities on port 1494 that I will be exposing my
network to?  

As I see it, it seems that this is fairly similar to accessing data
through a web interface encrypted with SSL, it is just going over a
different port and using a different encryption algorithm.

Am I missing anything here?  Should I be worried about setting up a
configuration of this type?

Thanks for the help.

_______________________________________
Rick Camp
Senior Consultant
Welsh Consulting, Inc. 
31 Milk Street, Suite 805 
Boston, MA 02109TelFax 
[email protected] 
www.welsh.com



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.