Tuesday, 2011-07-12

« Monday, 2011-07-11 Index Wednesday, 2011-07-13 »
*** dchilton has parted #wikid (None)00:16
*** dave (6337face@gateway/web/freenode/ip.99.55.250.206) has joined #wikid00:16
*** dave has parted #wikid (None)00:16
*** CowboyPride (~BartSimps@cpe-075-183-170-059.sc.res.rr.com) has joined #wikid00:34
*** CowboyPride has quit (Remote host closed the connection)01:04
*** Embalmed (embalmed@204.188.217.2) has joined #wikid01:11
Embalmedhey guys, if i want to move from the community edition to the enterprise, does an rpm -Uvh work or is there more to it?01:12
*** CowboyPride (~BartSimps@cpe-075-183-170-059.sc.res.rr.com) has joined #wikid01:16
Embalmedhrm, well i am not having much success.. i installed the enterprise rpm's and now i can't seem to get authenticated anymore, tacacs is saying the keys are invalid02:31
Embalmedbut they aren't02:31
Embalmedand the adregister page isn't working for me anymore02:31
Embalmedand wtf happened to the tacacs server03:33
Embalmedgrumble03:43
Embalmedis anyone actually here?03:43
*** Lake_Lurker (~Just@h202.197.140.67.dynamic.ip.windstream.net) has joined #wikid10:52
*** Lake_Lurker has parted #wikid (None)10:52
*** nowen (~nowen@adsl-74-176-160-111.asm.bellsouth.net) has joined #wikid14:17
*** PC1 (480ca40a@gateway/web/freenode/ip.72.12.164.10) has joined #wikid17:31
PC1Good day, I'm back with some a couple more questions.17:31
nowenwelcome back17:31
PC1So far so good I have local wikid software clients talking back and forth with the Wikid Server,17:32
PC1getting their tokens and have a few accounts setup and registered on the server.17:32
PC1For internal testing purposes the server code for the domain is based on the internal IP address of the Wikid  server.17:33
PC1Now once we get into the remote access testing phase of this project I will need to change this ServerCode to the public17:33
nowenjust create a new one.  You can't edit the domain id17:34
PC1Ohh okay17:34
PC1Ok so,17:34
PC1what ports must be open to allow software clients to talk to the Wikid Domain to get their Passcode?17:35
nowenjust 8017:35
PC1My concern is this, the same IP address (public address), is going to be used to hit the Citrix Secure Gateway page.17:36
nowenhmm17:36
PC1the CSG server is in a DMZ,17:36
PC1so I'm a little concerned about port 80 being open inbound like that.17:36
nowenall the token requests will go to /wikid/17:36
nowencan you proxy based on that?17:37
nowenwhat is in front the citrix?17:37
PC1My understanding is that yes the tokens requests go straight to Wikid.17:37
PC1In front of citrix is a firewall that will probably be doing some kind17:37
nowenI mean they go to http://ipaddress/wikid/17:37
nowenso, for example, in apache to can proxy based on the directory17:38
PC1They will not be able to do that from outside the LAN as the wikid server is on our internal LAN .17:38
nowen/wikid/17:38
nowenwhat I mean is that if you only have one external ip, you will need something that sends some requests to the Citrix and some to wikid17:39
PC1yes.17:39
PC1Over different ports though, as17:39
PC1CSG will be SSL.17:40
nowenahh, ok, if CSG is on a different port, then any firewall should be able to do that17:40
PC1yes that's whatI figured but my concern was that since the CSG server is on the internal network, would allowing inbound17:41
PC1sorry let me rephrase that.17:41
PC1My wikid server is on an internal private IP.  I now have a public IP assigned to a hardware firewall that is configured17:42
PC1to forward port 443 to the internal CSG server and port 80 to the internal IP of the Wikid Server.17:43
PC1Doesn't the forwarding of port 80 create a security risk?17:43
nowenahh17:43
PC1Since its inbound traffic.17:43
PC1and the wikid server is not in a DMZ.17:44
PC1Only the CSG is.17:44
PC1I just did not realize that Wikid has to first talk to the wikid server to get a token.17:44
nowenwould you prefer that the wikid server be in the dmz?17:44
nowenyou could also put an apache server in the dmz and have it proxy the requests to the internal wikid box17:44
PC1So that would create a layer of abstraction true but end result is that we have inbound port 80 traffic getting into the corporate network.17:45
PC1Correct?17:45
nowencorrect. Most of our users put wikid in the dmz17:46
PC1hmmm yep that's what I'm getting at (i'm not the person responsible for the networking portion of it, but I need to know enough17:46
PC1to suggest the best setup scenario.17:46
PC1Okay .. so it should be in a dmz..17:47
nowenthat is where most put it.  it has a firewall on it, of course and is hardened.  since it is talking to things in the dmz, it makes sense17:47
PC1That's what I figured, Unless the port can be changed so it communicates over some non well known port.17:48
nowenwell, you can't change the port on the tokens - it needs to be a port supported by isps etc. but you can change the listen port on the server and have the proxy use that17:48
nowenso requests come in to ipaddress:80/wikid and get proxied to internalip:8080/wikid17:49
PC1yes that's what  exactly!.17:49
PC1Would you think that would be relatively secure?17:49
nowenyes, but I don't know much about your setup, your risk profile, etc17:50
PC1of course I understand!17:50
PC1Well that's helpfull thanks I have something else to think about I will keep a copy of this converstation for my records.17:51
PC1As usual appreciate your help.17:51
nowennp.  remember ymmv!17:51
PC1ymmv>?17:51
nowenyour mileage may vary ;)17:52
PC1ahhh !!17:52
PC1oky doky later...17:53
nowenlater17:53
*** PC1 has quit (Quit: Page closed)17:54
*** nowen1 (~nowen@adsl-98-66-182-32.asm.bellsouth.net) has joined #wikid23:09
*** nowen has quit (Ping timeout: 250 seconds)23:09
*** nowen1 has parted #wikid (None)23:11
« Monday, 2011-07-11 Index Wednesday, 2011-07-13 »

Generated by irclog2html.py 2.11.0 by Marius Gedminas - find it at mg.pov.lt!