Case Study for a MetaFrame Secure Gateway Deployment

Our case study, CME Corp, has defined requirements for external access regarding traveling sales staff, home users, Internet kiosks, and wireless Internet WANS (Sprint, Verizon, T-Mobile, and others), supporting everything from dial-up to broadband connection speeds.

In order to support these requirements, CME has chosen to implement MetaFrame Web Interface with MetaFrame Secure Gateway to create an access center.

CME's secure access center deployment runs on Microsoft Internet Information Server version 6.0 on Windows Server 2003. Figure 16-1 diagrams the infrastructure pieces that make up the secure access center.

Figure 16-1: The CME secure gateway diagram

Notice from Figure 16-1 that a single dedicated server is used for both the Web Interface and the Secure Gateway software. The ability to place both Secure Gateway and Web Interface on a single server was introduced with Secure Gateway 2.0. In addition to reducing hardware costs, consolidating these two functions also reduces costs by only requiring one server certificate. Also note that in order to minimize the risk of hardware failure, two servers are used to provide fault tolerance in conjunction with a third-party load balancer.

The Secure Gateway deployment in the Demilitarized Zone (DMZ) is accompanied by a third-party server certificate from Verisign (other third-party certificates are also supported). The MetaFrame XP and MetaFrame for UNIX servers, as well as a Secure Ticket Authority (STA) server, are in the internal LAN. The STA server also has a server certificate issued by an internal Certificate Authority (CA) to encrypt the traffic from itself to the Web Interface/Secure Gateway server. Additional WAN/LAN CME network details are discussed and diagrammed in Chapter 17.