Link to home
Start Free TrialLog in
Avatar of i_harfoush
i_harfoushFlag for Kuwait

asked on

should I open port 80 for citrix?

should I open prot 80 for citrix presentation frame 4.0 to be accessed from outside the company?
Avatar of kcohne
kcohne

Port 80 is www traffic. So unless you are blocking internet traffic to the company as a whole I would imagine that it is already open.

If it is not then that really depends on the needs of your company and your internal security policy's.
Avatar of i_harfoush

ASKER

Sir,
I open the port 80 from outside to citrix ,and citrix is on Lan because of the internal application being used, somebody told me block this port you dont need it, and it is risky,please advise
Probably the best thing you can do if you need to serve an application to the outside world is to create a DMZ Zone.
but the internal application will not work :(
If I block the port 80 from outside to citrix, will citrix stop working?
What error do you receive?

Normally using port 80 is to connect to the Web Interface, from the web interface when you select an application it will create a session using port 1494 to the server.

That is unless you have a device (Access gateway) that uses (ssl) 443 to connect from the web, then you would only need 443 open.
yes Mr bunk,
I am entering first to citrix.xxx.com from my home  and the users too,
so I have to open port 80, and citrix is on Lan not on DMZ, because I have to host internal applications, is it Risky?
becasue I am hosting (erp application, internal web application, outlook.VNC,...)
I would say it is risky. would you be able to allocate another computer/server to serve as entry point using Citrix Secure Gateway?

I know some would say to it's ok to do it the way it is now but I say never give in to chance.
so what is your suggestion Sir?
If you are a big company I would go with a real device (Access Gateway) if you are a small shop you can get away with Citrix Secure Gateway, it is software based and can run on a workstation or server, depending on the resourses you have available. Once configured, which isn't too hard, you will only need to open port 443 from the internet.

You will need a Certificate for it to work.

How many people do you think will use this access?

I know there have been posts on how to set it up the way you were trying; it's ok for some but not for others in my opinion.


I am in a medium size company , but there is no financial resource for my department, I have poor resource, and I am trying to do the best for my company, the setup like this
---------Wan---------firewall(http,https,1494)--------Citrix(LAN)--------(local resources).
what I can Do right now?
there are 5 people using this poor citrix including me from our home,
In that case, yes, you should open port 80 to the web interface, but no other ports.
Can you place the web interface in a dmz? you will need to setup an alternate address on the citrix server and configure web interface with it also.

Here are some links for you to read to give you a better idea.
http://www.tek-tips.com/viewthread.cfm?qid=1174164&page=1
http://www.brianmadden.com/forums/t/22967.aspx
http://support.citrix.com/article/CTX105313
http://66.165.176.77/proddocs/index.jsp?topic=/web-interface-gransden/wi-configure-alternate-address-gransden.html

Mr Bunk,
thanks for your answer , but still your answer is unclear, how would be the setup, Ive read your links , I want a clear Idea,if you can make a simple diagram to understand your idea more, thanks
Do you already have a vpn solution on your network?
Do you have other incoming traffic to your firewall (like hosting another site) or will this (Citrix) be the only traffic?
Also, is your internet connection a static address or dhcp from isp?

I am looking at the best way to help you.

MR. Bunk,
I dont have a VPN connection between my sites, but I have pix 515e I will make in the future vpn from my home to troubleshoot my endusers by vnc that's it.
I have only 3 main servers(exchange 2003,Citrix PS 4.0, webserver,blackberry) and I didnt create DMZ, I have one network,
the internet connection is static not DHCP from ISP, waiting your advise
thanks Sir
ASKER CERTIFIED SOLUTION
Avatar of bigbunk390
bigbunk390

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sir if I want to setup a secure gate way ,how would be the diagram/setup, sorry for my questions?
thanks in advance
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I want to change the closing
10x