1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Comments on TS08 v Citirx xenapp essentials please

Discussion in 'Software' started by dales, Nov 18, 2010.

  1. dales

    dales Gigabyte Poster

    1,998
    46
    97
    Hi all,

    I'm in the process of testing out the new terminal services features vs citrix xenapp essentials as I would like to get rid of our VPN connections (users use these to work remotely which is making me uneasy).
    I've noticed that the new version of terminal services now includes some citrix like features such as publishing apps to a web page, so this may be a cheaper alternative to xenapp.

    Also has anybody actually used xenapp essentials or TS08 to allow users to work remotely and are there any gotcha's or things they don't tell you about in the glossy litrature. I've administered xenapp 4.5 and below before in my last job so I'm expecting essentials just to be a cut down version of that but as usual any war-worn comments on the products would be helpful before getting into bed with either product.
     
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  2. SimonD

    SimonD Terabyte Poster Moderator

    3,463
    397
    199
    What would you be using on the perimeter? UAG? TMG? TS08 has RemoteApp and the TS Gateway that really look good (I use RemoteApp to publish DPM to my infrastructure users). SSL VPN's are becoming a lot more common but obviously that's going to require PKI to be implemented correctly.
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  3. dales

    dales Gigabyte Poster

    1,998
    46
    97
    In my mind the TSGW would sit in the DMZ for users to connect to would it not (abit like xenapps SG and WI roles), I want to get rid of VPN's because of all those lovely viruses and spyware that are no doubt sitting on the networks of our users to who dial in by vpn. I know that remoteapp or citrix would not stop keylogging but it would stop creating effectively network bridging between our network and completely unknown ones.
     
    Certifications: vExpert 2014+2015+2016,VCP-DT,CCE-V, CCE-AD, CCP-AD, CCEE, CCAA XenApp, CCA Netscaler, XenApp 6.5, XenDesktop 5 & Xenserver 6,VCP3+5,VTSP,MCSA MCDST MCP A+ ITIL F
    WIP: Nothing
  4. SimonD

    SimonD Terabyte Poster Moderator

    3,463
    397
    199
    Personally speaking I would use something like UAG (Unified Access Gateway) to sit in the DMZ and pass it through to the TS.
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  5. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Dales, I'm a fan of SSL-VPN devices as they work over 443 so you will not have to open anymore ports on your firewall. You won't need a PKI infrastructure just an Public SSL Certificate for the A record (like OWA).

    On the SSL-VPN devices you can configure these with 2 Factor Authentication to a Radius Server for extra protection and then publish applications to the SSL-VPN like Terminal Server or OWA.

    The SSL-VPN would sit on the DMZ and you would only allow access from the SSL-VPN IP and Ports to the necessary server.

    So it would look something like this:

    User > SSL-VPN Login Two Factor Authentication > DMZ > LAN Terminal Server or OWA

    You could also look at SSTP, but you will need Server 2008 and a Public SSL. You would then put in place the NPS policies saying that the client machines have to have AV and Windows Firewall turned on etc otherwise they cannot connect.
     
    Last edited: Nov 18, 2010
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  6. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Another vote for SSL VPN here. :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010

Share This Page

Loading...