Securing the Web Interface

Previous page
Table of content
Next page
Securing the Web Interface

Figure 14.5 shows the familiar standard Web Interface configuration, but this time you can see the specific protocols the services use to communicate.

Figure 14.5. Three different communication channels should be secured in a Web Interface implementation.


There are three distinct communication scenarios:

  • Client <-> Web Interface Data is transmitted between the client web browser and the Web Interface via standard HTML. User credentials, the generated ICA file for application connections, and a session cookie are all information that could potentially be intercepted or accessed unless communications are secured. Communications can be secured by requiring HTTPS (secure HTTP). You need only to configure the web server hosting the Web Interface to require secured (SSL/TLS) connectivity. This requires that an authentication ticket be stored on the web server. SSL/TLS provides server authentication, data encryption, and message integrity validation.

    The use of single sign-on can also create a potential security issue. If the user were to receive an ICA file from an attacker, it could potentially transmit the user credentials to an unauthorized or counterfeit server. Disabling single sign-on eliminates this risk and provides a more secure environment.

  • Web Interface <-> Presentation Server The Web Interface and Presentation Server transmit user credentials and application set information via the Citrix XML Service. All Citrix XML data is transmitted in plain text, except for passwords, which are scrambled using a trivial algorithm.

    Transmissions between these two servers can be secured by employing Citrix SSL Relay. SSL Relay is installed with Presentation Server and allows you to employ SSL to secure the Citrix XML data transmission. To use SSL Relay, you must install a separate certificate on each Presentation Server. SSL Relay uses the Microsoft SSL implementation, known as SChannel and shares the same Registry-based certificate store as Windows and IIS. This allows certificates imported through IIS (when running on the Presentation Server) or the Microsoft Management Console (MMC) Certificate snap-in to be used by SSL Relay. SSL Relay is configured for the Web Interface either through the MetaFrame Server settings or by editing the WebInterface.conf file. Within the file, locate the line beginning with 

     SessionField.NFuse_<  Farm Name  >

    where < Farm Name > is the farm that you are editing. If you have only the default farm, it is called "Farm1". Modify the Transport entry so it says Transport:SSL. Then modify the SSLRelayPort entry so it says SSLRelayPort:443 or an alternate port if SSL Relay is not listening on port 443. Remember to stop and start the web server for the changes to take effect.

    If you are not able to employ SSL Relay, you can eliminate the risk of unsecured Citrix XML Service transmissions by running the Web Interface directly on a Presentation Server. The Web Interface can then be configured to communicate with the local XML Service, eliminating network traversal of the XML data.

  • Client <-> Presentation Server The final communication channel to secure involves the client and the Presentation Server. This actually occurs when the user launches a published application. Three options exist for securing client session communications:

    • ICA Encryption Also known as SecureICA, ICA Encryption was discussed in Chapter 9, "MetaFrame Security." ICA Encryption does not provide server authentication, making it susceptible to man-in-the-middle attacks. Citrix recommends that you employ an alternate method of securing session transmissions when clients are connecting over an unsecured network such as the Internet.

    • SSL/TLS Presentation Server supports users connecting to the server using SSL/TLS. This connection is managed through the SSL Relay service, just as secured connections to the Presentation Server from the Web Interface are managed. After SSL Relay has been configured, clients can connect to the server using SSL/TLS. SSL/TLS provides the server validation component not found in ICA Encryption.

    • Secure Gateway The Secure Gateway allows for the securing of client/server communications by creating an SSL/TLS-based gateway between the ICA clients and the Presentation Server farm. Instead of users connecting directly to a server via name or IP address, clients connect to the server farm through the Secure Gateway, which proxies all communications between the client and the server.

All communication channels must be secured to ensure a fully secure environment.


Previous page
Table of content
Next page
Citrix CCA MetaFrame Presentation Server 3. 0 and 4. 0 Exam CramT (Exams 223 and 256)
Citrix CCA MetaFrame Presentation Server 3. 0 and 4. 0 Exam CramT (Exams 223 and 256)
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 199
BUY ON AMAZON
SQL Tips & Techniques (Miscellaneous)
Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
PMP Practice Questions Exam Cram 2
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
VBScript in a Nutshell, 2nd Edition
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy