Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: VPN: Citrix IPSEC experiences?

From: "Claussen, Ken" <Ken () kccweb com>
Date: Sat, 26 Jul 2003 00:15:00 -0400
These are two entirely different products and each serves it's own
purpose. The Cisco VPN Client is different than the Cisco IOS IPSEC.
Use this for access to your entire LAN remotely. For Citrix the
situation is abit different. First for secure external access as of
Metaframe XP the best way is to use Citrix Secure Gateway(CSG). CSG is
essentially a SSL Citrix ICA Proxy. It provides a secure connection to
the Web server which can be placed in a DMZ. Then restricted access is
allowed to the Metaframe Server. This also requires you to run a Secure
Ticketing Authority (usually on the Metaframe server itself). Meaning
port TCP 1494 and whatever port you choose to run the STA on must be
open. This also requires a Public NFuse server for authentication prior
to the connection to the CSG server. In your NFuse admin tool you can
specify that users can automagically download the Web client. This works
only if they have local admin rights (unless they changed this
recently). There is considerable administration too, although it is
centralized and controlled through Group membership. Each has their
place. I think you would find a NFuse (W/SSL) CSG, Citrix Published
Application farm provides controlled access for 90% of your users. It is
the other 10% which have greater needs which will likely still need
something like the VPN client. Does the Nortel act as a VPN
concentrator? Cisco has a VPN 3005 ($3000) which will support 100
clients and NAT Traversal. HTH. 
Ken

-----Original Message-----
From: Darden, Patrick S. [mailto:darden () armc org] 
Sent: Friday, July 25, 2003 3:39 PM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] VPN: Citrix IPSEC experiences?



Is anyone using a Citrix IPSEC product with any luck?  The documentation
I
found makes it look compatible only with Win9X (ICA client) and NT 4.0
(Extranet Server).  Plus, no NAT-traversal, no ICSA certification, and
no
compatibility with other IPSEC clients nor servers.

We currently use Nortel Contivity Extranet Switches and Cisco's IPSEC
IOS
with no problems; however, a coworker remarked that using Citrix's
solution
would be a lot easier--no client setup, no administration, etc.

What are peoples' experiences?

Thanks,
--Patrick Darden
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: