I am assuming quite a lot so please let me know if I'm off the mark
here.
The link to the citrix server (the link being on a public server) points
to a public address within your organisation?
So a user outside the network would then traverse the firewall to get
to the citrix server? A user inside the firewall would try to access the
public address which is natted on the firewall to a private one inside.
My suggestion (if the above is correct) is to use a named link on the
web site. Get a public address assigned to the links and register this
with an external DNS authority. The internally create a the same DNS
domain and server record to the internal address.
Ie
Citrix.myorg.com -----> 81.123.43.23 (externally)
Cirtix.myorg.com -----> 10.23.34.45 (internally)
I think the pix is not allow internal users because it sees them trying
to enter and exit the firewall on the same interface and there will be
no nat rule to allow this.
HTH
Andy
-----Original Message-----
From: Chad Thomsen [mailto:mtbcyclist@yahoo.com]
Sent: 18 November 2004 12:56
To: firewalls@securityfocus.com
Subject: Pix Alias command help needed.
I have a strange situtation and am trying to resolve
it using the Pix Alias command although that may not
be the correct way.
I have users that access an exteranlly hosted company
web site that is hosted by somebody else. They can go
to the site and click an employee login link which
takes them to an internal citrix server. Probablem is
that since the server is inside the network the Pix is
not letting the traffic though. People on the outside
(traveling salesman or home users) can use the link,
but users behind the firewall on the interanl network
cannot.
And yes I know this is not the most secure desgin so
don't hammer me on that. If I can get approval I am
going to create a login sever in the pix DMZ but the
organziation I work for has a VERY tight IT budget.
Any thought on how to resolve this?
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
