Securing setup (3.42)
I have a server running Tarantella Enterprise Desktop v3.42 on Linux,
accessible via Apache and HTTPS. Problem is, that to access internal
Citrix servers, it has to launch the Citrix client towards them using a
local account.
When people log into Tarantella using their username and password (stored
in LDAP) they then have to type in the local Citrix client user's username
and password (account stored locally on webserver), and then the actual
NT4 username and password to get access to internal systems.
Two issues I would like to address at the time of writing:
* Since ssh is running on the webserver, everybody actually has password
and username to local login on the machine, making the logon credentials
being widespread, a setup I don't feel to good about securitywise.
* Users have to log in three times. Since we have both LDAP and NT4 we've
accepted usage of two logins, but the Citrix client local user seems very
unneccesary.
Thus, the questions: How do we enforce better security of this setup? What
have we misunderstood? Can we - to make it easier for the end users -
remove the Citrix client user totally from the webserver?
Thanks in advance for any tips on how to resolve this. It gives me a
headache and I probably shouldn't sleep at night knowing how many who
actually can log into my webserver :-)
--
Jakob Breivik Grimstveit, http://www.grimstveit.no/jakob, +47 48298152
# 1
Jakob,
Here are a couple of options:
1. Don't use Citrix client to connect to the Citrix server. The Citrix
server should have Windows Terminal Server also. So, just access the
applications via RDP directly from Tarantella.
2. If you insist on using Citrix client, you could create phantom accounts
on the Tarantella server and then use "tarantella passcache" command to
pre-cache the password cache. That way, launching Citrix client would not
require username/password. See the passcache command:
http://www.tarantella.com/support/documentation/sgd/ee/3.42/help/en-us/base/ind epth/tta_passcache.html
Hope either one of them helps.
"Jakob Breivik Grimstveit" <jakob@ikkjereklame.grimstveit.no.invalid> wrote
in message news:pan.2004.12.14.15.28.56.288347@grimstveit.no...
>I have a server running Tarantella Enterprise Desktop v3.42 on Linux,
> accessible via Apache and HTTPS. Problem is, that to access internal
> Citrix servers, it has to launch the Citrix client towards them using a
> local account.
>
> When people log into Tarantella using their username and password (stored
> in LDAP) they then have to type in the local Citrix client user's username
> and password (account stored locally on webserver), and then the actual
> NT4 username and password to get access to internal systems.
>
> Two issues I would like to address at the time of writing:
>
> * Since ssh is running on the webserver, everybody actually has password
> and username to local login on the machine, making the logon credentials
> being widespread, a setup I don't feel to good about securitywise.
>
> * Users have to log in three times. Since we have both LDAP and NT4 we've
> accepted usage of two logins, but the Citrix client local user seems very
> unneccesary.
>
> Thus, the questions: How do we enforce better security of this setup? What
> have we misunderstood? Can we - to make it easier for the end users -
> remove the Citrix client user totally from the webserver?
>
> Thanks in advance for any tips on how to resolve this. It gives me a
> headache and I probably shouldn't sleep at night knowing how many who
> actually can log into my webserver :-)
>
> --
> Jakob Breivik Grimstveit, http://www.grimstveit.no/jakob, +47 48298152
