Thursday, July 10, 2008

[THIN] Re: ICA Client Encryption

My understanding of how this works is that for external traffic, your ICA
traffic between the client and CAG is encrypted. The strength depends on
the cert you purchase. If you add RSA then of course you have two factor
authentication. You can use another cert to encrypt the traffic between WI
and Presentation server to secure the XML traffic. By turning on ICA
encryption you are essentially protecting the internal ICA traffic. Anyone
using certs to secure their XML traffic between WI and Presentation server
if both are in internal network?

Mike
Original Message:
-----------------
From: Steve Greenberg steveg@thinclient.net
Date: Thu, 10 Jul 2008 07:05:22 -0700
To: thin@freelists.org
Subject: [THIN] Re: ICA Client Encryption


Yes, Briforum rocked!!

If all external connections are AG then the outside is "protected", the
question is how important is it to encrypt traffic on the inside. Keep in
mind that ICA is not your biggest internal exposure, the html and xml stuff
between WI, AG and the XML service is actually more vulnerable. To secure
this stuff you need certs between these boxes. As far as 128 ICA encryption
I would always turn it on, the few % of CPU it might take is worth knowing
that the ICA traffic is secure as it travels around, also consider
encrypting authentication in any scenario .

Steve Greenberg

Thin Client Computing

34522 N. Scottsdale Rd D8453

Scottsdale, AZ 85266

(602) 432-8649

www.thinclient.net

steveg@thinclient.net

_____

From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf
Of Jensen, Jay
Sent: Thursday, July 10, 2008 5:58 AM
To: thin@freelists.org
Subject: [THIN] ICA Client Encryption

Hello gang, BriForum 2008 at Chicago Navy's Pier rocked!! What a relaxed
and awesome venue!

My new boss wants to put the ICA (XenApp Client 10.20) encryption level
from our previous 128-bit encryption to Basic encryption when we migrate to
our new XenApp 4.5 Farm. In the past we have always used 128-bit encryption
due to security to reduce any chance a hacker could intercept our ICA TCP/IP
packets and jeopardize our Citrix Farm / Corporate data. We are an
international business with over a 250-server farm so it is imperative we
get it right!

We use CSG today for our External Citrix connection and we are in the
process of migrating to Access Gateway both internally and externally.

What is everyone else using for ICA client encryption and/or can you point
me to a whitepaper or recommendation site what is the best practice on ICA
Client encryption? I guess I am old school and maybe I am being stupid in
recommending 128-bit encryption on the ICA client and I would like one of
experts in this list to guide me in the rigiht direction and ease my fears
that Basic ICA encryption is what should be used!

Thank You in advance for your assistance.

Jay Jensen
Citrix Team
Americas Sales and Distribution IT
Trane Commercial Systems
Ingersoll Rand

3600 Pammel Creek Road, La Crosse, WI 54601
Tel: 608-787-4619

E-mail: jjensen@trane.com

www.trane.com

The information in this message is the property of Ingersoll Rand Company.
This message is intended only for the use of the addressee named above and
may contain legally privileged and/or confidential information. If you are
not the intended recipient of this message, you are hereby notified that any
use, dissemination, distribution or copying of this message is strictly
prohibited. If you receive this message in error, please notify us
immediately by telephone or return e-mail and delete the message, all copies
thereof and any attachments. We thank you for your cooperation.

--------------------------------------------------------------------
mail2web.com – Enhanced email for the mobile individual based on Microsoft®
Exchange - http://link.mail2web.com/Personal/EnhancedEmail


************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
NEW! Follow Thin List on Twitter!
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
HOT! Thinlist MOBILE Feed!
http://thinlist.net/mobile
Thinlist quick pick
http://thinlist.net
************************************************

No comments: