OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Citrix ICA - Published apps

Re: Citrix ICA - Published apps


Chris Brenton (cbrentonsover.net)
Thu, 15 Apr 1999 17:06:01 -0400


Mailing Lists wrote:
>
> Let's say I have a server farm of 3 computers, exporting 4 apps (Word,
> Excel, Access and Powerpoint) load balanced. You talked about setting "A"
> refs in your dns instead of using the load balancing feature. I would like
> to know more about this option, it sounds interesting!

OK, here's what you do:
1) Setup internal Citrix access as per normal only make sure you use
legal DNS names for the names of the published Apps (i.e. no under
scores, etc.). In the case above, lets say I name the first app
word.bohica.edu.
2) On your external DNS, setup 3 "A" records pointing the app
(word.bohica.edu) to each of the three Citrix servers
3) Open up port 1494 on your firewall to these three systems

So let's say I've got a laptop user that needs WinFrame/MetaFrame access
from both the office and from home. In the office, I easily find the
master browser and I'm able to use Citrix load balancing. When I'm home,
I dial-up my ISP and then launch the same word.bohica.edu application.
When the MSB look up fails, the client falls back on DNS and resolves
the IP address in a round robin fashion.

For extra security, you could setup some form of authentication prior to
connection. For example in the FW-1 world you could have users run the
fwclient utility in order to do client authentication. Till you
authenticate, port 1494 is not open to your IP address. Given that ICA
traffic can be encrypted anyway, a full blown VPN is probably over kill.

Hope this helps,
Chris

-- 
**************************************
cbrentonsover.net

* Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:22 CDT