i_harfoush
asked on
should I open port 80 for citrix?
should I open prot 80 for citrix presentation frame 4.0 to be accessed from outside the company?
ASKER
Sir,
I open the port 80 from outside to citrix ,and citrix is on Lan because of the internal application being used, somebody told me block this port you dont need it, and it is risky,please advise
I open the port 80 from outside to citrix ,and citrix is on Lan because of the internal application being used, somebody told me block this port you dont need it, and it is risky,please advise
Probably the best thing you can do if you need to serve an application to the outside world is to create a DMZ Zone.
ASKER
but the internal application will not work :(
ASKER
If I block the port 80 from outside to citrix, will citrix stop working?
What error do you receive?
Normally using port 80 is to connect to the Web Interface, from the web interface when you select an application it will create a session using port 1494 to the server.
That is unless you have a device (Access gateway) that uses (ssl) 443 to connect from the web, then you would only need 443 open.
Normally using port 80 is to connect to the Web Interface, from the web interface when you select an application it will create a session using port 1494 to the server.
That is unless you have a device (Access gateway) that uses (ssl) 443 to connect from the web, then you would only need 443 open.
ASKER
yes Mr bunk,
I am entering first to citrix.xxx.com from my home and the users too,
so I have to open port 80, and citrix is on Lan not on DMZ, because I have to host internal applications, is it Risky?
I am entering first to citrix.xxx.com from my home and the users too,
so I have to open port 80, and citrix is on Lan not on DMZ, because I have to host internal applications, is it Risky?
ASKER
becasue I am hosting (erp application, internal web application, outlook.VNC,...)
I would say it is risky. would you be able to allocate another computer/server to serve as entry point using Citrix Secure Gateway?
I know some would say to it's ok to do it the way it is now but I say never give in to chance.
I know some would say to it's ok to do it the way it is now but I say never give in to chance.
ASKER
so what is your suggestion Sir?
If you are a big company I would go with a real device (Access Gateway) if you are a small shop you can get away with Citrix Secure Gateway, it is software based and can run on a workstation or server, depending on the resourses you have available. Once configured, which isn't too hard, you will only need to open port 443 from the internet.
You will need a Certificate for it to work.
How many people do you think will use this access?
I know there have been posts on how to set it up the way you were trying; it's ok for some but not for others in my opinion.
You will need a Certificate for it to work.
How many people do you think will use this access?
I know there have been posts on how to set it up the way you were trying; it's ok for some but not for others in my opinion.
ASKER
I am in a medium size company , but there is no financial resource for my department, I have poor resource, and I am trying to do the best for my company, the setup like this
---------Wan---------firew all(http,h ttps,1494) --------Ci trix(LAN)- -------(lo cal resources).
what I can Do right now?
there are 5 people using this poor citrix including me from our home,
---------Wan---------firew
what I can Do right now?
there are 5 people using this poor citrix including me from our home,
In that case, yes, you should open port 80 to the web interface, but no other ports.
Can you place the web interface in a dmz? you will need to setup an alternate address on the citrix server and configure web interface with it also.
Here are some links for you to read to give you a better idea.
http://www.tek-tips.com/viewthread.cfm?qid=1174164&page=1
http://www.brianmadden.com/forums/t/22967.aspx
http://support.citrix.com/article/CTX105313
http://66.165.176.77/proddocs/index.jsp?topic=/web-interface-gransden/wi-configure-alternate-address-gransden.html
Can you place the web interface in a dmz? you will need to setup an alternate address on the citrix server and configure web interface with it also.
Here are some links for you to read to give you a better idea.
http://www.tek-tips.com/viewthread.cfm?qid=1174164&page=1
http://www.brianmadden.com/forums/t/22967.aspx
http://support.citrix.com/article/CTX105313
http://66.165.176.77/proddocs/index.jsp?topic=/web-interface-gransden/wi-configure-alternate-address-gransden.html
ASKER
Mr Bunk,
thanks for your answer , but still your answer is unclear, how would be the setup, Ive read your links , I want a clear Idea,if you can make a simple diagram to understand your idea more, thanks
thanks for your answer , but still your answer is unclear, how would be the setup, Ive read your links , I want a clear Idea,if you can make a simple diagram to understand your idea more, thanks
Do you already have a vpn solution on your network?
Do you have other incoming traffic to your firewall (like hosting another site) or will this (Citrix) be the only traffic?
Also, is your internet connection a static address or dhcp from isp?
I am looking at the best way to help you.
Do you have other incoming traffic to your firewall (like hosting another site) or will this (Citrix) be the only traffic?
Also, is your internet connection a static address or dhcp from isp?
I am looking at the best way to help you.
ASKER
MR. Bunk,
I dont have a VPN connection between my sites, but I have pix 515e I will make in the future vpn from my home to troubleshoot my endusers by vnc that's it.
I have only 3 main servers(exchange 2003,Citrix PS 4.0, webserver,blackberry) and I didnt create DMZ, I have one network,
the internet connection is static not DHCP from ISP, waiting your advise
thanks Sir
I dont have a VPN connection between my sites, but I have pix 515e I will make in the future vpn from my home to troubleshoot my endusers by vnc that's it.
I have only 3 main servers(exchange 2003,Citrix PS 4.0, webserver,blackberry) and I didnt create DMZ, I have one network,
the internet connection is static not DHCP from ISP, waiting your advise
thanks Sir
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sir if I want to setup a secure gate way ,how would be the diagram/setup, sorry for my questions?
thanks in advance
thanks in advance
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I want to change the closing
ASKER
10x
If it is not then that really depends on the needs of your company and your internal security policy's.