should I open port 80 for citrix?

should I open prot 80 for citrix presentation frame 4.0 to be accessed from outside the company?
i_harfoushAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kcohneCommented:
Port 80 is www traffic. So unless you are blocking internet traffic to the company as a whole I would imagine that it is already open.

If it is not then that really depends on the needs of your company and your internal security policy's.
i_harfoushAuthor Commented:
Sir,
I open the port 80 from outside to citrix ,and citrix is on Lan because of the internal application being used, somebody told me block this port you dont need it, and it is risky,please advise
kcohneCommented:
Probably the best thing you can do if you need to serve an application to the outside world is to create a DMZ Zone.
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

i_harfoushAuthor Commented:
but the internal application will not work :(
i_harfoushAuthor Commented:
If I block the port 80 from outside to citrix, will citrix stop working?
bigbunk390Commented:
What error do you receive?

Normally using port 80 is to connect to the Web Interface, from the web interface when you select an application it will create a session using port 1494 to the server.

That is unless you have a device (Access gateway) that uses (ssl) 443 to connect from the web, then you would only need 443 open.
i_harfoushAuthor Commented:
yes Mr bunk,
I am entering first to citrix.xxx.com from my home  and the users too,
so I have to open port 80, and citrix is on Lan not on DMZ, because I have to host internal applications, is it Risky?
i_harfoushAuthor Commented:
becasue I am hosting (erp application, internal web application, outlook.VNC,...)
bigbunk390Commented:
I would say it is risky. would you be able to allocate another computer/server to serve as entry point using Citrix Secure Gateway?

I know some would say to it's ok to do it the way it is now but I say never give in to chance.
i_harfoushAuthor Commented:
so what is your suggestion Sir?
bigbunk390Commented:
If you are a big company I would go with a real device (Access Gateway) if you are a small shop you can get away with Citrix Secure Gateway, it is software based and can run on a workstation or server, depending on the resourses you have available. Once configured, which isn't too hard, you will only need to open port 443 from the internet.

You will need a Certificate for it to work.

How many people do you think will use this access?

I know there have been posts on how to set it up the way you were trying; it's ok for some but not for others in my opinion.


i_harfoushAuthor Commented:
I am in a medium size company , but there is no financial resource for my department, I have poor resource, and I am trying to do the best for my company, the setup like this
---------Wan---------firewall(http,https,1494)--------Citrix(LAN)--------(local resources).
what I can Do right now?
there are 5 people using this poor citrix including me from our home,
bigbunk390Commented:
In that case, yes, you should open port 80 to the web interface, but no other ports.
Can you place the web interface in a dmz? you will need to setup an alternate address on the citrix server and configure web interface with it also.

Here are some links for you to read to give you a better idea.
http://www.tek-tips.com/viewthread.cfm?qid=1174164&page=1
http://www.brianmadden.com/forums/t/22967.aspx
http://support.citrix.com/article/CTX105313
http://66.165.176.77/proddocs/index.jsp?topic=/web-interface-gransden/wi-configure-alternate-address-gransden.html

i_harfoushAuthor Commented:
Mr Bunk,
thanks for your answer , but still your answer is unclear, how would be the setup, Ive read your links , I want a clear Idea,if you can make a simple diagram to understand your idea more, thanks
bigbunk390Commented:
Do you already have a vpn solution on your network?
Do you have other incoming traffic to your firewall (like hosting another site) or will this (Citrix) be the only traffic?
Also, is your internet connection a static address or dhcp from isp?

I am looking at the best way to help you.

i_harfoushAuthor Commented:
MR. Bunk,
I dont have a VPN connection between my sites, but I have pix 515e I will make in the future vpn from my home to troubleshoot my endusers by vnc that's it.
I have only 3 main servers(exchange 2003,Citrix PS 4.0, webserver,blackberry) and I didnt create DMZ, I have one network,
the internet connection is static not DHCP from ISP, waiting your advise
thanks Sir
bigbunk390Commented:

Again, I do not recommend going this route as security wise you will be exposed.
I recommend at minimum you get a computer and setup Citrix Secure Gateway on it. But ultimately it is your choice,.

Attached is what it should look like.

This link shows you steps to set it up; the parts that apply to you:
http://www.dabcc.com/article.aspx?id=12797&page=1


If there is anyone out there who can tighten this up further for this user or knows of a free altrernative given the users resources please interject.
Capture4-28-2010-9.19.32-AM.jpg

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
i_harfoushAuthor Commented:
Sir if I want to setup a secure gate way ,how would be the diagram/setup, sorry for my questions?
thanks in advance
bigbunk390Commented:
Below is the image of what it would look like when used in a non dmz environment. Although a DMZ is recommended you can get by without it as long as the traffic is highly restricted.

Also, you should know that you will need a certificate for it to work.

Here is the Secure Gateway admin guide which has all the info you will need plus some diagrams for the different ways it can be setup (single, multiple tiers/dmz's)
http://www.thin-world.com/docs/Windows_Secure_Gateway_Guide30.pdf
Capture4-29-2010-2.44.47-PM.jpg
i_harfoushAuthor Commented:
I want to change the closing
i_harfoushAuthor Commented:
10x
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.