Secure Web Browsing via Terminal Server/Citrix

Hi,

I recently came across a unique security architecture in an Insurance Firm I am dealing with. They put a Citrix/TS farm in their DMZ, hosting only IE and closed outbound port 80/443.

This way, internal users can *not* access the web, unless they use the TS, which is easier to manager, easier to secure, and sits in the DMZ - without access to the internal network. The additional benefit is that the internal network is, in a way, separate/disconnected from the Internet - with all the security benefits associated with that.

Has anyone seen this elsewhere? What do you think of this approach to solving the browsing security-related problems?

Rot

Reply to
rot-eron
Loading thread data ...

"rot-eron" wrote in news:1129497662.548012.222370 @g44g2000cwa.googlegroups.com:

No and I have worked in a Citrix Terminal Server Farm situation. It sounds kind of rediculous. Duane :)

Reply to
Duane Arnold

If TS is only used for web browsing then yes its a good idea... I wouldnt put critical apps on that TS though. This pretty much fixes the spyware issue..

Reply to
jeanmarc.soumet

It is very dumb to use the IE of all browsers.

Yes. And it has many disadvantages. Just try to download a file.

Nothing.

Yours, VB.

Reply to
Volker Birk

Next phase of this project - open all e-mail attachments in the same way - on the DMZ TS machine. The idea - if it comes from the outside, it shouldn't easily get in. Users in most cases just need to see the doc, so a TS session can provide that. Any thoughts? Has anyone seen other places with similar solution? Rot

Reply to
rot-eron

Use openoffice and firefox.

You know that there are programs that transfer files over RDP, right?

-Russ.

Reply to
Somebody.

Then you could use local WordViewer and ExcelViewer, too. Especially, if you're configuring them as default application for Word and Excel Documents, and are showing how to right click to edit with Word and Excel to your users.

Yours, VB.

Reply to
Volker Birk

Right! The TS can not establish connections into the LAN. Printing is done over RDP.

Reply to
rot-eron

Is FireFox compatible enough with IE? How about OpenOffice? Is it compatible enough with Office that I can safely use it?

Reply to
rot-eron

Right. Very few concurrent users (~25) so indeed they have a pretty large farm there. It *is* a problem from a TCO standpoint.

Reply to
rot-eron

"rot-eron" wrote in news:1129575885.650314.297210 @f14g2000cwb.googlegroups.com:

I though a Terminal Server could only allow so many concurrent users/connections. That's why they are in a farm environment with the same business solutions not talking about IE etc, etc spread across the farm of servers so that when one server reaches max capacity, users would be switched to another server on the farm. You don't see a problem?

Duane :)

Reply to
Duane Arnold

While it solves the problem of browsing the web, there is more to it than just blocking outbound 80/443 from the client networks.

Putting a TS in the DMZ, and then allowing the TS box to access services in the LAN, is the same as having the TS in the lan for most purposes. If the TS box is completely stand along, with no connection to the LAN except through non-file/print/MS ports, allowing only things like SQL Data or some other service based application connection, then it's a good idea since there is no means for a TS authenticated user to authenticate with any node in the LAN side.

If the TS is able to authenticate with the LAN nodes, then you have compromised the security of the LAN-DMZ networks.

Reply to
Leythos

Fortunately not. Firefox implements the W3 standard for HTTP 4 and XHTTP 1 as well as CSS 2, see

formatting link

To make this clear: Firefox is much better than IE.

Yes (if you're talking about Microsoft Office).

Yours, VB.

Reply to
Volker Birk

Yes.

Yes.

HTH.

-Russ.

Reply to
Somebody.

You've not told us if the TS is part of the LAN domain for authentication of if it's stand alone in it's own network without any connections to the LAN.

TS/Citrix sessions can be compromised just like any other session, and that means that they can compromise the server they run on too.

If users are getting their email via IMAP or POP then you've got a lot easier time to secure it if pulling from a company email server, if using Exchange, well, that's another story.

Please quote posts when you reply to them.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.