[14447] in bugtraq
Re: Citrix ICA Basic Encryption
daemon@ATHENA.MIT.EDU (Chris Knight)
Wed Mar 29 19:49:17 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mdaemon-Deliver-To: bugtraq@securityfocus.com
X-Mdrcpt-To: bugtraq@securityfocus.com
Message-Id: <005701bf99dd$23853da0$020aa8c0@aims.private>
Date: Thu, 30 Mar 2000 10:16:03 +1000
Reply-To: chris@aims.com.au
From: Chris Knight <chris@AIMS.COM.AU>
X-To: Weld Pond <weld@L0PHT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSO.4.21.0003281725160.18031-100000@0nus.l0pht.com>
Howdy,
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Weld
> Pond
> Sent: Wednesday, 29 March 2000 8:36
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: Re: Citrix ICA Basic Encryption
>
> [snip]
>
> SecureICA is only available for Windows and DOS clients.
> Unix, Macintosh,
> and Java clients must use the insecure protocol. Due to the
> nature of the
> protocol it cannot be tunnelled through ssh. A VPN is
> probably the only
> solution for Unix, Macintosh and Java clients.
>
> -weld
>
Not entirely correct. The ICA session can be tunnelled through ssh. You need
to forward port 1494 to the ICA server. However, the ICA browser service
uses UDP port 1604. You can get around this by using NAT techniques and the
ALTADDR command provided by Citrix.
From a security point-of-view, you probably shouldn't NAT the browser
service - simply use the ssh port forwarding to connect to a known server
and known application. The downside is you're not able to use seamless
windows, as you cannot get the list of published applications from the ICA
browser service.
Regards,
Chris Knight
Systems Administrator
AIMS Independent Computer Professionals
Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795
Web: http://www.aims.com.au
