01 August 2012

Citrix Secure Gateway Configuration Explained Step By Step

The Secure Gateway allows you to connect to your Citrix XenApp server over the internet via an HTTPS SSL Tunnel.  Because you are using this tunnel you don not need any additional ports opened directly to your XenApp servers.

The only problem with it is that despite having a configuration wizard it is tricky to set up since the requirements are not always clear.  You also need to configure half of the setting on the web interface console.

Server Layout
Depending on the requirement your Citrix XenAPP deployment will differ on the amount of servers and the Roles installed on them.  This example cover the steps to configure a 3 tier configuration where the XenApp, Gateway and Web Interface are installed on three seperate servers.  The Web interface is publish to the internet via a Reverse Proxy.  The Secure Gateway is published via a Non-Web Server rule.

Before configuring the Secure gateway you will need a few things.
  • A XenApp server
  • A XenApp Web Interface server
  • A SSL Certificate

The XenApp server(s) will function as an STA (Secure Ticketing Authority)
The Web interface server will need to be referenced in the configuration and it itself will have to configured to use the Secure gateway.

The SSL certificate is used encrypt and authenticate everything.  I would suggest using a 3rd party certificate for this as it avoids a number of potential issues.   Request and install the certificate on the server to be used as the secure gateway before proceeding.

Secure Gateway Configuration Wizard

  • Launch the Wizard from - Start - All programs - Citrix - Administration Tools - Secure gateway Configuration wizard
  • Select Standard configuration type
  • Select the Certificate installed as a prerequisite 
  • Check Monitor all IPv4 Addresses
  • Select No outbound traffic restrictions
  • Click Add to enter the details of a server running the XenApp Role
  • Select Direct To access the web interface users enter the URL of the Web Interface
  • Select to log Warning, error and fatal events
  • Check Restart Secure Gateway and Finish

Once this is done the Secure Gateway is now able to route sessions.  The way to send a connection request to the Secure Gateway is to configure the Web Interface Secure Access settings to do so.

Web Interface Secure Access Configuration

By default the Web Interface is configured for Direct Access.  But what does this actually mean?  The little diagram they have tries to illustrate but I personally struggled to "get it" at first.

The diagram represent the client machine on the left.  On the right is the XenApp role servers.  (The Web Interface is not in the diagram at all)

The process flow is as follows:

  1. Client logs onto the web interface
  2. Client lauches an application
  3. Web interface determines the client connection and evaluate which secure access rule to use
  4. Web interface dynamically generates the .ica file
  5. Client downloads the .ica file
  6. The .ica file is automatically launched with the Citrix Receiver
  7. Citrix receiver reads the .ica file to determine where to and what to connect to
  8. Session is established

In the Direct case the file contains the actual IP address of the XenApp server.  The Client Establishes an ICA connection directly on port 1494

To route session through the Gateway we need to do two things.
We need to specify the criteria used by step 3 in the process flow.
We need to specify the what to connect to for step 7

For this example all request coming from the internet via a reverse proxy to the web interface should use the gateway. all other connection should connect directly. (The most common scenario)

  • Open the Citrix Web Interface Management Console
  • Select The XenApp Web Site
  • Click Secure Access in the Actions Pane
  • Click Add and add the Internal IP address of the reverse proxy server
  • the MASK should be the only include the specified IP
  • Access method should be Gateway Direct
  • (Repeat if there is more than one IP)
  • Click Next

What this does is provide the criteria used on Step3 and sets the connection method to be specified in Step 4

  • Specify the Secure Gateway's external FQDN
  • Specify a server to use as the STA
  • Finish

Testing the connections
Once everything has been configured you can now test your connections to see if the sessions are routed through the gateway.  Internal should go direct and internet traffic should go via the Gateway

To see if a session is using the Gateway or not, you can use the Secure Gateway Management Console and check Session information.  If a session is working from the internet things are proably fine form that side.  If Clients connecting from the internal network are also gong through the gateway you need to recheck the Web Interface's Secure Access settings.

Once you understand how things fit together it is much simpler to configure even more complex deployment options.  This basic configuration will work for most small to medium environments.

No comments:

Post a Comment