Introduction

This howto will show you how you can create a Citrix Secure Gateway in Citrix Presentation Server 4.0.

We used certain standards to implement it and you can offcourse implement your own standards.

This howto is a basic guide how you can create a Citrix Secure Gateway MPS4.0

You will need a Web Interface also on the server

If you haven't created a webinterface yet for MPS4.0 we recommend you read this howto first.

Well before we begin we need to acomplish a few goals on the server that will become a dedicated Citrix Secure Gateway.

First thing we do is create a server certificate (webserver) for the server on the FQDN (full Qualified Domain Name) of the server. We created with a privat CA (Certificate Authority) a certificate for the server and installed it.

Now we are gonna check if the IIS server is not hosting a SSL site on port 443 TCP. If so you can savely remove it cause the CSG will listen on port 443 TCP dedicated

Part 1 Installation of the CSG.

The setup is located on the component cd of your citrix installation set.

After you double clicked on the setup figure 1 will showup.

figure 1

Press Next to go to figure 2 accept the license agreement and press Next

figure 2

 Select Secure Gateway and press Next (Secure Gateway Proxy is used for a doublehop dmz)

figure 3

 Now you can select the destination folder. We left it default. Press Next to go to figure 5

figure 4

 Now you have to select the account which the Secure Gateway will run under. We selected the Network Service cause were darn lasy. You can ofcourse create a dedicated account for this service for security reasons!

figure 5

Press Next to go to figure 7 

figure 6

 Yes it's getting boring ... press next :)

figure 7

 Now were getting to the part that we need to configure the Secure Gateway with the wizzard before it will actually startup.

figure 8

 Deselect "Metaframe Secure Access Manager" since we are only installing a CSG.

figure 9

 We can now choose between standard or advanced settings. As geeks we only want advanced ofcouse!!

figure 10

 Remeber I wrote on top of the article that we need a server certificate. Well here you go why.

As you can see we already have 2 certificates installed (due to a former installation of CSG) select the correct certificate you create for your server and press Next

figure 11

 Keep this default. the stronger the enconding the better.

figure 12

 We want to listen on port 443 TCP. If you have multiple network interface cards select the correct one.

figure 13

 Select no outbound traffic restrictions or if you have a acl select that one.

figure 14

 Since Metaframe Presentation Server 4.0 every citrix server is also a Secure Ticket Authority(STA) you need to place the FQDN name in the box then you can press OK.

figure 16

After you entered the correct name of the STA you will get figure 17. You can enter multiple STA's for failover.

figure 17

 We did not configure this since we don't want any restrictions on our timout or connections

figure 18

 You can specify devices to be excluded from logging.. why exclude stuff the more logging the better is my opinion.

figure 19

 We want users connecting directly to the secure gateway.

figure 20

 We selected "All events including informational" remember the more logging the better the troubleshooting :)

figure 21

 Well we finished the CSG Wizzard but are not done yet.

figure 22

 Part 2 Configure the webinterface

Open the ASC and browse to your web interface (WI). Now select in the right pane the "Manage secure client access" and edit the "Edit Secure Gateway Settings" see figure 24

figure 23

 Enter the address of the CSG (This is the external FQDN) add the STA address(es)

figure 24

In principle your done :) If you use a privat certificate you need to install the Root certificate in order to connect to your published applications through the CSG otherwise you will get SSL error 61.

Figure 25 shows the certificate warning after you typed in the url to your CSG. From here on the CSG will direct you to the Web Interface (WI).

figure 25

If you have any questions register on our forum and fire em away. We are there to answer them.

In the future we will write a howto to configure a CSG using smartcards.