c

 

„

Citrix Web Interface 4.6 is an ASP.Net 2.0 application that provides access to Citrix
Published Applications via a web browser. When deployed by itself, Internet Based users
require direct ICA (TCP Port 1494) or Common Gateway Protocol (TCP Port 2598)
Communication with each Citrix Server hosting their published applications. Since this
involves allowing secure communications from the Public Internet into the Private Network
and opening firewall ports. Additionally it requires that the client can successfully
communicate over ports 1494 or 2598.

Citrix Secure Gateway 3.0 (CSG) is a Reverse Proxy that provides secure remote access to
Citrix Published Applications over SSL (TCP Port 443). When deployed in a DMZ it solves
the security and access problems previously listed, i.e. the client only needs to be able to
contact the CSG over port 443 and the CSG communicates on behalf of the clients with the
Citrix Servers on the Private Network. No communication happens between the Public
Internet and Private/Corporate Network.

Both Citrix Web Interface and Secure Gateway are available to Citrix Presentation Server
Customers via http://www.mycitrix.com.

M






   

 M

  


1.V Windows Server OS, i.e. 2003 Web or 2003 Standard Edition.
2.V IIS w/ ASP.Net
3.V Net Framework 2.0
4.V Microsoft Visual J# Version 2.0 Redistributable Package
5.V Access Management Console for Presentation Server 4.5 (Framework only)
6.V Web Interface 4.6 Access Management Console Extension
7.V 3rd Party SSL Server Certificate (i.e. from Verisign, Thawte, GeoTrust, GoDaddy...)

å





1.V Server capable of running Windows Server OS w/ IIS

2.V Firewall with DMZ an available DMZ Port





    

! 
"

 
The initial installation and configuration of the Web Interface / Secure Gateway Server
should be performed on the Private Network, to ensure that all components are working
properly before moving the server to the DMZ. Since the server¶s final destination is in the
DMZ, the server should NOT be a domain member.
After installing software pre-requisites 1 through 6, download and launch the Web Interface
installation program (WebInterface.exe). Install Web Interface and accept the defaults.

Download the Citrix Web Client and place ica32web.msi in ³!#„
"
$ #!
%#


##! # &#´.

Download the Citrix Java Client and place the components in ³!#„
"

$ #!
%#

##! # ' ( #´.

Launch the Access Management Console (AMC). The first time the AMC is run, discovery is
performed to identify the components that will be managed.

Select the option, ³Do not contact servers running the configuration service´, unless you want
to centrally store the Web Interface Configuration (refer to the Web Interface Administrators
Guide).
After the discovery process completes, right click on the Web Interface node on the left pane
of the 6 !)M *!
 M+.
Select the default option for Site Type (Access Platform Site).
On the Specify IIS Location step of the site creation, check the option ³Set as the default page
for the IIS site´. Accept the defaults for the rest of the Create Site process.

After the site is created, the initial settings must be configured. On this screen, enter the name
of the Citrix Farm, then enter at least one server from the Citrix Farm with which the Web
Interface will communicate. The Web Interface communicates with the XML Service on the
configured Citrix Server via the Farm XML Port (80 is the default). Refer to the Citrix Server
Farm Properties in the Presentation Server Console if unsure what port number to enter.

Best practice would be to enter at least two XML Servers (for redundancy) and to enter Citrix
Servers configured as Data Collectors. When a user enters their credentials to log on to the
Web Interface, the Web Interface communicates with the XML Service to authenticate the
user and return the Application Set for that user.

XML Servers can be entered as their NetBIOS, FQDN or IP Address, depending on which
name resolution mechanism is in place. Since the server will end up in the DMZ, entering the
IP Address requires the fewest open ports (between the DMZ and Private Network).
On the ³Select Application Type´ screen, select ³Remote´, unless you plan to use the
Presentation Server 4.5 Application Streaming Feature to stream applications to client
computers. Accept the defaults for the remainder of the Initial Configuration Wizard.
At this point the Citrix Web Interface is ready to be tested, to ensure that it¶s been configured
correctly. To test that the Web Interface is working, open Internet Explorer on the Web
Interface Server and browse to http://localhost. Without any further configuration, one should
be able to successfully log on and launch applications from the configured Citrix Farm.
After successfully entering logon credentials, one should be presented with the following
Citrix Client Detection Wizard (if no Citrix Client is installed).
Clicking the ³Detect Client´ button initiates a scan to check the client computer for an
installed Citrix Client. If no client is detected, the user is presented with the following screen
where the Citrix Web Client installation can be started.

If the end user clicks the ³Download´ button, the Citrix Web Client installation package is
loaded from ³C:\Program Files\Citrix\Web Interface\4.6\Clients\ica32\ica32web.msi´ on the
Web Interface Server.
Click ³Run´ and proceed with the Client Installation. After the installation is complete, the
end user is presented with the following screen.

Click ³Successful´ to be taken to the client¶s application set.

Click on one of the applications. If the application launches, the basic configuration of Citrix
Web Interface was successful. The next step is to obtain an SSL Server Certificate which will
be used by Citrix Secure Gateway.

MMM
(
!

 ! 
"

 
Since Citrix Secure Gateway is used to provide secure remote access, a Trusted 3rd Party
SSL Server Certificate is required. To obtain the certificate, launch Computer Management
and navigate to Services and Applications -> Internet Information Services (IIS) Manager ->
Web Sites -> Default Web Site -> Properties -> Directory Security.
Click on the ³Server Certificate´ button to start the ³Web Server Certificate Wizard´. Select
³Next ->Create a new certificate -> Prepare the request now, but send it later.
In the name field, enter a friendly name that accurately describes what the certificate will be
used for, i.e. ³Citrix Secure Gateway´. Click Next.

The information on the Organization Information page is what will display on the SSL
Certificate when viewed by the end user.

The Site Common Name is the most important piece of information that is entered. It MUST
match the Fully Qualified Domain Name that will be addressed by the end user. It need not
be the same as the NetBIOS Name of the Server, but DNS must be configured to resolve this
name to the server being configured.

On the Geographical Information Screen it is important that the ³State/province´ be

completely spelled, as the request will not be accepted by the 3rd Party Certificate Authority
if the State/province is abbreviated.

The information entered in the IIS Certificate Wizard outputs to a text file, whose content is
submitted to the 3rd Party Certificate Authority via their online certificate purchase form.
After purchasing the SSL Server Certificate from your preferred Certificate Authority, the
Certificate needs to be installed on the Web Interface / Secure Gateway Server. The
following steps may differ slightly, depending on the vendor, but in this example we¶ll use
certificates from GoDaddy.com. GoDaddy supplies two certificates, an Intermediate
Certificate Authority and the SSL Server Certificate that was purchased. Per the instructions
from the vendor we open the Certificates Management Console via Start -> Run -> MMC ->
File -> Add/Remove Snap-in -> Add -> Certificates -> Add -> Computer Account -> Next ->
Local Computer -> Finish.
Right click on the ³Intermediate Certification Authorities´, navigate to All Tasks -> Import -
> Browse and select the Root Certificate supplied by the vendor.

Click Next and Accept the Default Location of Intermediate Certification Authorities.

Click Next to Complete the Certificate Import.



Open IIS Manager -> Web Sites -> Default Web Site -> Properties -> Directory Security ->
Server Certificate.
Click ³Next´ to continue with the Web Server Certificate Wizard.

Select ³Process the pending request and install the certificate´. Click ³Next´ to continue.

Browse to, or enter the path to the downloaded SSL Server Certificate. Click ³Next´ to
continue.
Change the ³SSL port this web site should use´ from 443, to 444 or another unused port. It is
very important NOT to accept the default port of 443, as this port will be used by Citrix
Secure Gateway.

To test that the SSL Certificate has been properly installed and that IIS has been configured
correctly, restart IIS via ³Start -> Run ->cmd -> IISRESET´. After IIS restarts, browse to
https://FullyQualifiedDomainName:444. This is NOT the URL clients will enter, as they will
connect to the Citrix Secure Gateway on the standard HTTPS Port (443). This is only being
done to ensure that the certificate was properly installed and that the Citrix Web Interface still
works. A DNS Host (A) or Alias (Cname) record must be configured to resolve the Fully
Qualified Domain Name to the IP Address of the server being configured for the web page to
display correctly.

„ 
 

In part two of this document we¶ll go over the installation and configuration of Citrix Secure
Gateway, as well as the required firewall configuration.

In part one of this document it was described how to do a basic installation of Citrix Web
Interface 4.6 and how to request and install a 3rd Party SSL Server Certificate. Part two
describes how to install and configure Citrix Secure Gateway 3.0 on the same server, so
Internet Users can securely connect to Citrix Servers on a private network.

„




1.V Configured and tested (on the private network) Citrix Web Interface.
2.V Installed 3rd Party SSL Server Certificate.
3.V IIS HTTPS Port configured on a port OTHER THAN 443, i.e. 444.
 4.V Citrix Presentation Server Components CD, or access to download Secure Gateway
3.0 from www.mycitrix.com.
5.V Firewall with a DMZ Port.
6.V Connectivity to at least one Citrix Secure Ticket Authority (built into the XML
Service on Presentation Server 4.x).

M

Now that Citrix Web Interface 4.6 has been installed and tested and the SSL Server
Certificate has been installed, it is time to install Citrix Secure Gateway 3.0. It¶s best to keep
the server on the private network until the complete system has been tested, to simplify
troubleshooting, as one should not have to worry about the correct firewall ports being open.

Access the Citrix Presentation Server Components CD, or download Secure Gateway 3.0
from www.mycitrix.com. To begin the setup, double-click !M,- M.

Click ³Next´, read and accept the License Agreement.

Select ³Secure Gateway´ and click ³Next´.

Accept the default ³Destination Folder´ and click ³Next´.

On the Service Account selection screen, select ³NETWORK SERVICE´ and click ³Next´.

Review the Installation Selections and click ³Next´ to begin the installation.
If the installation was successful, this screen is displayed.

To begin the configuration of Citrix Secure Gateway, click ³OK´ to launch the ³Secure
Gateway Configuration Wizard´.

! 
"

 
Select ONLY the option to secure ³MetaFrame Presentation Server´, then click ³OK´.

Select the ³Advanced´ configuration type, then click ³Next´.

Select the SSL Server Certificate that was installed in part one. Click ³View´ to verify that
the correct certificate has been selected.
The items to review are outlined in red on the picture shown above:

V 6Issued to:6 MUST be the FQDN (Fully Qualified Domain Name) that end users will
type in their Internet Browser to address the Secure Gateway.
V 6Valid from6 MUST be a current date range.
V The bottom of the General tab MUST read ³You have a private key that corresponds
to this certificate.´ If this is not displayed the certificate may have been copied from
another server, where is MUST be exported to a .PFX file, including the Private
Key. This can be accomplished with the Certificates MMC on the original server.

On the ³Configure secure protocol settings´ screen, accept the default options and click
³Next´.
Assuming your server has only one active Network Interface, accept the default option to
³Monitor all IP addresses´ and listen on TCP port 443. Click ³Next´ to continue.

On the ³Configure outbound connections´ screen, accept the default and click ³Next´ to
continue.
On the ³Details of the server running the Secure Ticket Authority (STA)´ screen, click the
³Add´ button.

On the ³Secure Ticket Authority (STA) details´ pop-up, enter the FQDN of a Citrix
Server. This is typically a Zone Data Connector, and the same server that is listed in the Farm
XML Servers in the Web Interface Configuration. If the Citrix Farm is configured to use
anything but the default TCP Port of 80, append the port number to the FQDN, preceded by a
colon, i.e. ³ctxs-cps.scs.local:8080´. If it is a requirement to secure traffic between the Secure
Gateway and STA, check the checkbox in the ³Protocol settings´ section and enter the
appropriate TCP Port. This requires an SSL Server Certificate on the server hosting the STA.
For redundancy, a secondary and tertiary STA can be added by repeating the previous step.
When done, click ³Next´ to continue.

On the ³Connection parameters´ screen, accept the default options, and click ³Next´ to
continue.
If you are load balancing connections to the Secure Gateway, add the IP Address of the
device on the ³Logging Exclusions´ screen, otherwise click ³Next´ to continue.

Assuming Secure Gateway is on the same server as the Citrix Web Interface, accept the
default ³Indirect´ radial button and the default ³Installed on this computer´ checkbox. If
Secure Gateway will be used with a Web Interface Server hosted on a different server, de-
select ³Installed on this computer´ and enter the FQDN of the Web Interface Server in the
³Details´ section.
Select the desired amount of ³Logging parameters´ and click ³Next´ to continue.

Click ³Finish´ to start the Secure Gateway service.

Open the ³Secure Gateway Management Console´ and click ³Secure Gateway Diagnostics´
to verify that the setting selected in the configuration wizard are valid.

Launch the Web Interface Console (via the Access Management Console). Right-click the
Web Interface Site -> Manage secure client access -> Edit Gateway settings.
Enter the FQDN of the Secure Gateway Server that was just configured, then add the URL to
the Secure Ticket Authority, as shown in the picture above. Initially, leave session reliability
disabled, until Secure Gateway and Web Interface have been tested and the latest hotfix has
been applied to Secure Gateway. Click ³OK´.

Right-click the Web Interface Site -> Manage secure client access -> Edit DMZ settings.
Edit the ³Default Client IP address´ setting and select ³Gateway Direct´, so clients will
access the Presentation Server Farm via the Secure Gateway, instead of being delivered ICA
files that include the Private IP Address of the target Citrix Server. Click ³OK´.

Since the Secure Gateway is still on the Private Network, edit the hosts file
(%WinDir%\system32\drivers\etc\hosts) on a test client workstation and add an entry for the
FQDN that¶s listed on the SSL Server Certificate.
From the test client workstation, open an Internet Browser and address the FQDN of the
Secure Gateway, i.e. https://citrix.sessioncomputing.com. Since IIS is NOT listening on port
443, and Secure Gateway is, Secure Gateway should automatically proxy the request to the
Web Interface Login Page. The page should display the SSL Secured (128 Bit) icon on the
Internet Browser¶s Status Bar (shown above).

Launch a Published Application via the Web Interface and verify in the Program
Neighborhood Connection Center that the application was launched via the Secure Gateway.
This is distinguished via the Black Lock on the Application Set, under ICA Connections.
Additionally, viewing the properties of the connection displays the Encryption Level as ³128
Bit SSL/TSL in use´ (shown above).
Additionally, this can be confirmed via ³Session Information´ in the Secure Gateway
Management Console, which displays the Client IP, User, Domain, Time Established and
Time Elapsed.

Now that the configuration has been tested, download the latest hotfix for Secure Gateway
3.0, currently SGE300W800. This is a cumulative hotfix that contains all of the fixes from
hotfixes SGE300W001 thru SGE300W007.

Logoff all Secure Gateway Sessions and launch SGE300W800.MSI. Click ³Next´ to
continue.
If the error shown above is encountered during the installation of hotfix SGE300W800.MSI,
search %SystemDrive% for ³msvcr71.dll´.

Copy ³msvcr71.dll´.
Paste the dll in %WinDir%\System32, and click ³Retry´ to start the Secure Gateway Service.

Click ³Finish´ to complete the hotfix installation.

Installation of this hotfix requires a restart, so click ³Yes´ to restart the Secure Gateway
Server.

After the system restarts, re-test launching applications via the Secure Gateway URL and
Web Interface. If the applications launch successfully, enable Session Reliability in the Web
Interface Console -> Web Interface Site -> Right-Click -> Manage secure client access ->
Edit Gateway settings, if so desired. Enabling Session Reliability changes the communication
protocol between the Secure Gateway and Citrix Presentation Servers from TCP Port 1494
(ICA ± Independent Computing Architecture) to TCP Port 2598 (CGP ± Common Gateway
Protocol).

Updates from hotfix SGE300W003, included in SGE300W800, allow one to display more
columns in the Secure Gateway Management Console. The Server, Application and Session
Idle Time columns can be enabled in the Secure Gateway Management Console by adding
the following registry entries on the Secure Gateway Server.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Secure Gateway\3.0]

6ToolsDir6 6C:\\Program Files\\Citrix\\Secure Gateway\\6
6M M
(
66$
M 6 
 
6M . $
M 6 


Now that Secure Gateway and Web Interface have been tested on the private network, it is
time to move the machine to the DMZ and re-test. When the machine is connected to the
DMZ, the Public DNS A (Host) Record will need to be updated or added for the Secure
Gateway, so the machine can be addressed via FQDN by Internet Users.



$
 

V Internet to DMZ (Secure Gateway Server) ± Allow TCP Port 443.
V DMZ (Secure Gateway Server) to Private Network (STA & XML Service) ± Allow
TCP Port 80, or Farm XML Service Port, or TCP Port 443 if Securing STA Traffic
via SSL.
V DMZ (Secure Gateway Server) to Private Network (Citrix Presentation Servers) ±
Allow TCP Port 1494 (without Session Reliability), or TCP Port 259 8 (with Session
Reliability).
Below is an example diagram of a Citrix Farm configured to use Secure Gateway and Web
Interface as described in this article.

M


Citrix Web Interface 4.6 and Citrix Secure Gateway 3.0 can happily reside in the DMZ on
one Windows Server, with one IP Address, and one SSL Server Certificate. There are other
configurations that can be used, depending on your security requirements. Refer to the
Administrators Guide and Troubleshooter¶s Guide for documentation on alternate
deployment scenarios.





Hotfix SGE300W008 - For Citrix Secure Gateway 3.0

Explaining ICA Session Reliability, Common Gateway Protocol, on TCP Port 2598

Citrix Secure Gateway Product Lifecycle

Secure Gateway 3.0 for Presentation Server Troubleshooter's Guide

Deploying the Web Client 10.1 for Windows Through Web Interface 4.6

Web Interface Administrator's Guide