[NCSA-discuss] a shameful problem
Rock Roskam
Rock.Roskam at sas.com
Fri Jun 23 09:43:01 EDT 2006
Citrix has its own product Citrix Secure Gateway that can secure the communications with the Web Interface Gateway. It comes with whatever version of Citrix you are running. You can put the web interface on an apache box and make that box or vmware session the only available port externally via 443. The secure gateway and web interface can be on the same box but then it would be windows. The only external port needed would be 443 if setup correctly. The web interface and secure gateway can be in a DMZ and connect back to the Citrx/terminal server via port 443 if you ssl the citrix communications or it generally uses ports 8080 and 1494. This allows you to transverse NAT and firewalls with the product. Note on my versions of Citrix running the windows lockdown script on the citrix boxes to secure the boxes caused numerous problems with the Citrix/Terminal server. I recommend separating out the boxes web components from the Citrix/Terminal services components.
Rock Roskam
-----Original Message-----
From: ncsa-discussion-bounces at ncsysadmin.org [mailto:ncsa-discussion-bounces at ncsysadmin.org] On Behalf Of Jason Tower
Sent: Thursday, June 22, 2006 11:50 PM
To: NC*SA Discussion List
Subject: [NCSA-discuss] a shameful problem
ok, i'm ashamed and embarassed to admit it, but i have one windows server that i have to administer. it's a citrix server running under vmware, and here's the catch: i need to run it with a public ip address - no external firewall, no nat.
now, on a real server (read: *nix) i simply turn off all services that i don't want, verify with 'netstat -an' that only the ports i want listening are actually open, and away i go. on this godforsaken windows box running 'netstat -an' yields the following (note that it is currently behind a nat device, hence the 10.1.1.11 ip):
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1039 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1043 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1494 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2512 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2513 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:27000 0.0.0.0:0 LISTENING
TCP 10.1.1.11:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8009 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1037 *:*
UDP 0.0.0.0:1041 *:*
UDP 0.0.0.0:1276 *:*
UDP 0.0.0.0:1434 *:*
UDP 0.0.0.0:1604 *:*
UDP 0.0.0.0:3701 *:*
UDP 0.0.0.0:3771 *:*
UDP 0.0.0.0:3820 *:*
UDP 0.0.0.0:4057 *:*
UDP 0.0.0.0:4094 *:*
UDP 0.0.0.0:4309 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:4561 *:*
UDP 0.0.0.0:4615 *:*
UDP 10.1.1.11:123 *:*
UDP 10.1.1.11:137 *:*
UDP 10.1.1.11:138 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:3768 *:*
UDP 127.0.0.1:3817 *:*
UDP 127.0.0.1:4054 *:*
UDP 127.0.0.1:4091 *:*
UDP 127.0.0.1:4186 *:*
UDP 127.0.0.1:4306 *:*
UDP 127.0.0.1:4487 *:*
UDP 127.0.0.1:4558 *:*
UDP 127.0.0.1:4612 *:*
UDP 127.0.0.1:4651 *:*
holy smegging crap, this is what redmond considers "secure"? the only external ports i want open are tcp 80/443 for the citrix web interface, and tcp 1494 for citrix itself. presumably i can ignore the ports bound to
127.0.0.1 but i don't have a clue about all the others, or how to disable them. if anyone can help me prepare this box for public ip duty lunch (including beer) is on me.
jason
_______________________________________________
ncsa-discussion mailing list
ncsa-discussion at ncsysadmin.org
http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
More information about the ncsa-discussion
mailing list