host web site in citrix

Hi,

I have a task to complete for a customer and it is strange one. they want to host a IIS server in DMZ with also resource on the same IIS server that will only be serving their domain users. ( so what's point having it in DMZ if it not going to be accessible by non-domain users?? no idea! )

this is only one single server with no backend SQL.  The main aim is to allow domain users to access this resource from any device. I believe this concept has security concerns since it will be accessible from any device (  at least that is what think!)

my question is what is the best way of authenticating users with their domain when server is in DMZ?  my suggestion would be to use citrix to publish the content to users but  citrix works with front end and back end system. any way I can have IIS server with its content on a single citrix server?

in the worst scenario I am going to suggest server to be put in normal domain
kuzumAsked:
Who is Participating?
 
pand0ra_usaCommented:
Once the user VPN's in they can connect to the Citrix server. I would suggest some sort of central authentication like Active Directory/LDAP. Windows systems default to sending AD credentials anytime a Windows resource is accessed, so if they are already logged into their personal computer with AD credentials it will be transparent to the user.  


Simple diagram
0
 
pand0ra_usaCommented:
I do penetration tests on a daily basis and I would suggest not putting a RDP/Rdesktop/Citrix server directly on the Internet. I would suggest that they setup an IPSEC VPN (using 2 factor authentication) and require users to VPN in first then connect to the resource. I just got done with an assessment that the client had a vulnerable web application that allowed for file upload, uploaded a web shell, then after finding the local Administrator password we took that to the RDP server and logged into the system. Then proceeded to get Domain Admin. An IPSEC VPN would have prevented me from getting in as I didn't have a domain user credential.

Using RDP/Citrix services and connecting them directly to the Internet is a "bad idea" in my opinion because you are basically allowing an attacker to stand in the same room as your computer system. Even if Citrix is configured for 2 factor auth it is still possible to hijack the auth token and use it before the user does. Much of Citrix services are done of SSL/TLS which is pretty trivial to bypass when doing MITM.  

Additionally, I would suggest NOT combining services onto a single system. You can do it but again it is a "bad idea".
0
 
kuzumAuthor Commented:
Pandora thanks for the  detailed information. I agree with what you said. There alot of information i wiill still need from the client. What i know is that drp or vpn possible is not ideal as this site and content will also be accessed via mobile phones and tablets.
Is your solution still valid for this.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
pand0ra_usaCommented:
You can have phones and tablets connect over VPN and then connect to the services. The end user would have 1 extra step (connecting to VPN). Once they connect to the VPN then they can connect to the service. I do that regularly with my phone.
0
 
kuzumAuthor Commented:
thanks pand0ra,

Could you please explain this may be with some simple or high level design map?

client's  server will be in DMZ only accessible for domain users. when http link is launched by users how can I authenticate domain users.  Users won't need to do any RDP as this is only access to a http link on the server.

thanks
0
 
kuzumAuthor Commented:
thanks Pand0ra,

LDAP or ADFS is the key issue.  this is the issue I am facing hence though citrix would be a good solution. imagine a user comes in with a portable device ( ipad, BB etc) and connected to domain and next step is for  this user to be able to access the site in DMZ. Currently there is no trust between DMZ and the domain. one other solution I can think of is third party ADFS provider like SAML etc but really keen to resolve this without that and VPN or citrix seems ideal.
0
 
kuzumAuthor Commented:
may be we can implement your solution with best method of authenticating domain users for web servers in DMZ but the questions would be what is the best way of authentication method for DMZ users? ( No internet access only for domain users)
0
 
Chris BurnsCitrix ArchitectCommented:
The thing to realize with Citrix is there is a right way to deploy it and a wrong one.  Putting a Citrix XenApp server in a DMZ is a huge error.  I'm assuming the resource you're trying to deploy is an application or a web site via IE.  The right way to do it is get a Netscaler/Netscaler Gateway Appliance or or VPX (virtual appliance) and put that in the DMZ.  The web facing portion provides the ability provide LDAP authentication without exposing your internal network since this is a dual NIC setup.  One is on the DMZ and the other is configured for your Internal network.  Everything is tunneled via SSL/TLS from the client to the Netscaler device.  Depending on the Citrix licensing you can also leverage a SSL VPN.  Once the user authenticates at the Netscaler Gateway login page you can have it forwarded to either Storefront or a Web Interface to have the user launch an app.  The credentials are completely pass-through so they don't have to authenticate to Storefront or the Web Interface.

The great thing about this is it works the same from a PC, Mac, iPhone/Android, or Tablet device.  

Here's a good guide for a simple Storefront and Netscaler 10.5 setup:

http://www.archy.net/netscaler-10-5-and-storefront-2-5-2-configuration/

If you need more of an explanation it's a little bit easier with more information.  Like what version of XenApp are you going to be using because you can also still leverage Citrix Secure Gateway as long as you aren't using XenApp/XenDesktop 7 or higher.
0
 
pand0ra_usaCommented:
@Chris Burns "Putting a Citrix XenApp server in a DMZ is a huge error"

Why do you think that?
0
 
kuzumAuthor Commented:
what I was thinking is to add a spare NIC to server that I am planning to put in DMZ ( only have IIS role and resource on it with no backend server)  and that NIC will be on the internal network subnet and locked down in the DMZ server with firewalls.

Citrix was mu first initial thought but is it possible to host one single server in DMZ? I don't think I can put xenapp server in DMZ not sure if this would be a good idea?
0
 
Chris BurnsCitrix ArchitectCommented:
@pand0ra_usa

XenApp servers aren't designed to be accessed directly from the Internet.  That's what Netscalers, Netscaler Gateways, Web Interface servers are designed to be used.  The idea of a DMZ is a containment zone that doesn't have direct access to your data.  Putting the XenApp Server in the DMZ unnecessarily exposes data to attacks.  

You used to be able to put Web Interface servers in the DMZ if you couldn't leverage Citrix Secure Gateway but with Storefront they require AD authentication so you always want to protect those with Netscalers or Netscaler Gatways.  The comments about forcing a VPN is possible and I've seen that done but that makes connecting a huge pain since you have to establish the VPN connection then open the Citrix Receiver.  Not many users want to be inconvenienced like that.
0
 
robocatCommented:
> Users won't need to do any RDP as this is only access to a http link on the server.

If all you're trying to accomplish is allowing users authenticated access to a webserver, then you're overthinking this.

Simply put a reverse proxy server in front of the webserver and configure the reverse proxy for AD authentication.

There's a nice diagram about half way on this page that shows how this works:

https://technet.microsoft.com/en-us/library/dn584113.aspx

This is much simpler, cheaper and easier that VPN or Citrix solutions.

Also there are lots of reverse proxy servers to choose from (Windows Server 2012R2, Citrix Netscaler, ...)
0
 
kuzumAuthor Commented:
Chris, thanks for your time and effort for explaining this, would it be possible to show this scenario on a diagram please?

@Robocat - I will consider this, seems  good idea.
0
 
Chris BurnsCitrix ArchitectCommented:
Citrix has a great diagram in their XenDesktop Blueprint:

https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/xendesktop-deployment-blueprint.pdf

Go to page 5 and look at the access layer.  The only part of the access layer that is in the DMZ is the Netscaler.

For one application Citrix is probably a tough sell.  However, if you can find other applications to deliver it's by far the best solution.
0
 
kuzumAuthor Commented:
Chris, thanks for the all the effort but I'm still not clear how a single URL will be presented with citrix? where my IIS site sits with its resource being on the same single server?
0
 
Chris BurnsCitrix ArchitectCommented:
Sorry I'm at a conference so drawing isn't easy.  Logically speaking this is how it flows:

Internet --> Netscaler (DMZ) --> Storefront (delivers the Citrix web experience) --> Citrix XenApp

You can install IIS and the app on a XenApp server but normally you wouldn't.  This is why Citrix might not be a great solution unless you want to scale above one app.  You need to have a license server, a delivery controller/data collector (SQL required), Storefront, then your application servers or in your case an IIS server.  For small deployments you can put licensing, Storefront, and the Delivery controller on the same box with XenApp 7.x but you still need another XenApp server to provide the user logins.

So I. Your case you would need at least three VMs plus the Netscaler VPX.  At that level though you don't have redundancy so your high availability would be provided by a hypervisor technology.
0
 
robocatCommented:
In this case, using Citrix is like using a bulldozer to move your cat litter to the bin. The bulldozer would get the job done but it is a way too complex solution for a very simple problem.  

Citrix is an expensive product to license and requires in depth knowledge to get it working and maintain. Really, this is not the solution for your problem.

The reverse proxy is simple and cheap and especially designed for this purpose.
0
 
kuzumAuthor Commented:
I've requested that this question be deleted for the following reason:

did not fit the purpose
0
 
robocatCommented:
This is not an adequate reason to close a question without awarding points.

The question was answered and an adequate alternative solution was also provided.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.