If you missed the first part of this article series please read How To: Install and Configure Citrix Web Interface 4.6 and Citrix Secure Gateway on the same server (Part 1).
In part one of this article it was described how to do a basic installation of Citrix Web Interface 4.6 and how to request and install a 3rd Party SSL Server Certificate. Part two describes how to install and configure Citrix Secure Gateway 3.0 on the same server, so Internet Users can securely connect to Citrix Servers on a private network.
Prerequisites:
- Configured and tested (on the private network) Citrix Web Interface.
- Installed 3rd Party SSL Server Certificate.
- IIS HTTPS Port configured on a port OTHER THAN 443, i.e. 444.
- Citrix Presentation Server Components CD, or access to download Secure Gateway 3.0 from www.mycitrix.com.
- Firewall with a DMZ Port.
- Connectivity to at least one Citrix Secure Ticket Authority (built into the XML Service on Presentation Server 4.x).
Setup
Now that Citrix Web Interface 4.6 has been installed and tested and the SSL Server Certificate has been installed, it is time to install Citrix Secure Gateway 3.0. It’s best to keep the server on the private network until the complete system has been tested, to simplify troubleshooting, as one should not have to worry about the correct firewall ports being open.
Access the Citrix Presentation Server Components CD, or download Secure Gateway 3.0 from www.mycitrix.com. To begin the setup, double-click CSG_GWY.MSI.
Click “Next”, read and accept the License Agreement.
Select “Secure Gateway” and click “Next”.
Accept the default “Destination Folder” and click “Next”.
On the Service Account selection screen, select “NETWORK SERVICE” and click “Next”.
Review the Installation Selections and click “Next” to begin the installation.
If the installation was successful, this screen is displayed.
To begin the configuration of Citrix Secure Gateway, click “OK” to launch the “Secure Gateway Configuration Wizard”.
Configuration
Select ONLY the option to secure “MetaFrame Presentation Server”, then click “OK”.
Select the “Advanced” configuration type, then click “Next”.
Select the SSL Server Certificate that was installed in part one. Click “View” to verify that the correct certificate has been selected.
The items to review are outlined in red on the picture shown above:
- “Issued to:” MUST be the FQDN (Fully Qualified Domain Name) that end users will type in their Internet Browser to address the Secure Gateway.
- “Valid from” MUST be a current date range.
- The bottom of the General tab MUST read “You have a private key that corresponds to this certificate.” If this is not displayed the certificate may have been copied from another server, where is MUST be exported to a .PFX file, including the Private Key. This can be accomplished with the Certificates MMC on the original server.
On the “Configure secure protocol settings” screen, accept the default options and click “Next”.
Assuming your server has only one active Network Interface, accept the default option to “Monitor all IP addresses” and listen on TCP port 443. Click “Next” to continue.
On the “Configure outbound connections” screen, accept the default and click “Next” to continue.
On the “Details of the server running the Secure Ticket Authority (STA)” screen, click the “Add” button.
On the “Secure Ticket Authority (STA) details” pop-up, enter the FQDN of a Citrix Server. This is typically a Zone Data Connector, and the same server that is listed in the Farm XML Servers in the Web Interface Configuration. If the Citrix Farm is configured to use anything but the default TCP Port of 80, append the port number to the FQDN, preceded by a colon, i.e. “ctxs-cps.scs.local:8080”. If it is a requirement to secure traffic between the Secure Gateway and STA, check the checkbox in the “Protocol settings” section and enter the appropriate TCP Port. This requires an SSL Server Certificate on the server hosting the STA.
For redundancy, a secondary and tertiary STA can be added by repeating the previous step. When done, click “Next” to continue.
On the “Connection parameters” screen, accept the default options, and click “Next” to continue.
If you are load balancing connections to the Secure Gateway, add the IP Address of the device on the “Logging Exclusions” screen, otherwise click “Next” to continue.
Assuming Secure Gateway is on the same server as the Citrix Web Interface, accept the default “Indirect” radial button and the default “Installed on this computer” checkbox. If Secure Gateway will be used with a Web Interface Server hosted on a different server, de-select “Installed on this computer” and enter the FQDN of the Web Interface Server in the “Details” section.
Select the desired amount of “Logging parameters” and click “Next” to continue.
Click “Finish” to start the Secure Gateway service.
Open the “Secure Gateway Management Console” and click “Secure Gateway Diagnostics” to verify that the setting selected in the configuration wizard are valid.
Launch the Web Interface Console (via the Access Management Console). Right-click the Web Interface Site -> Manage secure client access -> Edit Gateway settings.
Enter the FQDN of the Secure Gateway Server that was just configured, then add the URL to the Secure Ticket Authority, as shown in the picture above. Initially, leave session reliability disabled, until Secure Gateway and Web Interface have been tested and the latest hotfix has been applied to Secure Gateway. Click “OK”.
Right-click the Web Interface Site -> Manage secure client access -> Edit DMZ settings.
Edit the “Default Client IP address” setting and select “Gateway Direct”, so clients will access the Presentation Server Farm via the Secure Gateway, instead of being delivered ICA files that include the Private IP Address of the target Citrix Server. Click “OK”.
Since the Secure Gateway is still on the Private Network, edit the hosts file (%WinDir%\system32\drivers\etc\hosts) on a test client workstation and add an entry for the FQDN that’s listed on the SSL Server Certificate.
From the test client workstation, open an Internet Browser and address the FQDN of the Secure Gateway, i.e. https://citrix.sessioncomputing.com. Since IIS is NOT listening on port 443, and Secure Gateway is, Secure Gateway should automatically proxy the request to the Web Interface Login Page. The page should display the SSL Secured (128 Bit) icon on the Internet Browser’s Status Bar (shown above).
Launch a Published Application via the Web Interface and verify in the Program Neighborhood Connection Center that the application was launched via the Secure Gateway. This is distinguished via the Black Lock on the Application Set, under ICA Connections. Additionally, viewing the properties of the connection displays the Encryption Level as “128 Bit SSL/TSL in use” (shown above).
Additionally, this can be confirmed via “Session Information” in the Secure Gateway Management Console, which displays the Client IP, User, Domain, Time Established and Time Elapsed.
Now that the configuration has been tested, download the latest hotfix for Secure Gateway 3.0, currently SGE300W800. This is a cumulative hotfix that contains all of the fixes from hotfixes SGE300W001 thru SGE300W007.
Logoff all Secure Gateway Sessions and launch SGE300W800.MSI. Click “Next” to continue.
If the error shown above is encountered during the installation of hotfix SGE300W800.MSI, search %SystemDrive% for “msvcr71.dll”.
Copy “msvcr71.dll”.
Paste the dll in %WinDir%\System32, and click “Retry” to start the Secure Gateway Service.
Click “Finish” to complete the hotfix installation.
Installation of this hotfix requires a restart, so click “Yes” to restart the Secure Gateway Server.
After the system restarts, re-test launching applications via the Secure Gateway URL and Web Interface. If the applications launch successfully, enable Session Reliability in the Web Interface Console -> Web Interface Site -> Right-Click -> Manage secure client access -> Edit Gateway settings, if so desired. Enabling Session Reliability changes the communication protocol between the Secure Gateway and Citrix Presentation Servers from TCP Port 1494 (ICA – Independent Computing Architecture) to TCP Port 2598 (CGP – Common Gateway Protocol).
Updates from hotfix SGE300W003, included in SGE300W800, allow one to display more columns in the Secure Gateway Management Console. The Server, Application and Session Idle Time columns can be enabled in the Secure Gateway Management Console by adding the following registry entries on the Secure Gateway Server.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Secure Gateway\3.0]
“ToolsDir”=”C:\\Program Files\\Citrix\\Secure Gateway\\”
“ShowServerAndAppForSession”=dword:00000001
“ShowTimeIdleForSession”=dword:00000001
Now that Secure Gateway and Web Interface have been tested on the private network, it is time to move the machine to the DMZ and re-test. When the machine is connected to the DMZ, the Public DNS A (Host) Record will need to be updated or added for the Secure Gateway, so the machine can be addressed via FQDN by Internet Users.
Required Firewall Rules
- Internet to DMZ (Secure Gateway Server) – Allow TCP Port 443.
- DMZ (Secure Gateway Server) to Private Network (STA & XML Service) – Allow TCP Port 80, or Farm XML Service Port, or TCP Port 443 if Securing STA Traffic via SSL.
- DMZ (Secure Gateway Server) to Private Network (Citrix Presentation Servers) – Allow TCP Port 1494 (without Session Reliability), or TCP Port 2598 (with Session Reliability).
Below is an example diagram of a Citrix Farm configured to use Secure Gateway and Web Interface as described in this article.
Summary
Citrix Web Interface 4.6 and Citrix Secure Gateway 3.0 can happily reside in the DMZ on one Windows Server, with one IP Address, and one SSL Server Certificate. There are other configurations that can be used, depending on your security requirements. Refer to the Administrators Guide and Troubleshooter’s Guide for documentation on alternate deployment scenarios.
References
Hotfix SGE300W008 – For Citrix Secure Gateway 3.0
Explaining ICA Session Reliability, Common Gateway Protocol, on TCP Port 2598
Citrix Secure Gateway Product Lifecycle
Secure Gateway 3.0 for Presentation Server Troubleshooter’s Guide
Deploying the Web Client 10.1 for Windows Through Web Interface 4.6
Web Interface Administrator’s Guide
If you missed the first part of this article series please read How To: Install and Configure Citrix Web Interface 4.6 and Citrix Secure Gateway on the same server (Part 1).
