WHITE PAPER

Citrix Secure Gateway Startup Guide

www.citrix.com
Contents

Introduction ................................................................................................................................ 2
What you will need ..................................................................................................................... 2
Preparing the environment for Secure Gateway ......................................................................... 2
Installing a CA using Windows Server 2008 ............................................................................... 2
Creating a Web Server certificate using Server 2008 ................................................................10
Generating a Certificate Signing Request using IIS 7.0 ......................................................10
A word on certificates .........................................................................................................11
Signing the CSR with your CA ..................................................................................................15
Attaching the Signed certificate with the Private key .................................................................19
Downloading The Root CA certificate........................................................................................22
Installing the Root CA Certificate...............................................................................................24
Installing Citrix Secure Gateway ...............................................................................................27
Installing Citrix Secure Gateway ...............................................................................................29
Configuring Secure Gateway ....................................................................................................33
Modify the Hostfile so the Secure Gateway server can accept the connections on the FQDN...40
Making a connection through secure gateway...........................................................................45
Creating a Web Server certificate with IIS 6.0 ...........................................................................48
Sending the request to be signed ..............................................................................................55
Completing the Certificate request ............................................................................................57

1
Introduction
Secure Gateway is the defacto standard for facilitating secure remote access of remote users to
Citrix hosted applications. Citrix Secure Gateway is an application that runs as a service on a
server that is deployed in the DMZ for maximum security. If cost or storage is an issue, Secure
Gateway can also be installed on a XenApp server and the effect on performance will depend
on the number of users connecting. The Citrix recommended maximum users tested on a
standalone server is 250 connections. It is assumed you already have a server running XenApp
with Web Interface configured to point to that server as an XML broker. This document guides
you through installing a Certificate Authority (CA), generating a certificate for use with Secure
Gateway, installing and configuring Secure Gateway, and launching an application through the
gateway.

What you will need

Single Windows Server 2003/2008
XenApp installed with at least one application published
Web Interface installed with one web site created
Tested direct application launch direct method

Preparing the environment for Secure Gateway

To configure and start Citrix Secure Gateway you will need two certificates: a server certificate
and a root certificate. Follow the screen shots below for instructions on how to install an your
own certificate authority for testing purposes

In my example, the Certificate Authority (CA) is on the XenApp server. For security purposes,
the CA would be the domain controller or a dedicated server.

Installing a CA using Windows Server 2008

When it is necessary to sign your own server certificate, installing the Certification Authority role
on a Domain controller or member server is the cost effective low hassle way to do it. Root and
subordinate CAs are used to issue certificates to users, computers, and services, and to
manage their validity. For the purposes of this document, you will be creating an Enterprise
Root CA; and the screen shots will guide you through the installation process. All steps in this
guide should be done while logged on as a domain administrator to circumvent any permission
related issues.

2
1. On your Windows 2008 server, begin by clicking Start > Server Manager.
2. Within the Server Manager Console, highlight Roles on the left-hand side then click Add
Roles on the right-hand side.

3. Check the box next to Active Directory Certificate Services then click Next.

3
4. Read the overview of the Role you are adding; specifically, the part that mentions after
adding the Role, you will not be able to change the computer name domain membership
or promote the server to be a domain controller, then click Next.
5. Select the box next to the following Role Services, then click Next
a. Certification Authority
b. Certification Authority Web Enrollment
c. Online Responder

6. For Setup type, we are creating an Enterprise CA that will be the Root, click Next.

4
7. Root CA and Next.

8. Create a new private key for certificate signing and click Next.

5
9. We will use the default cryptographic service provider RSA, and default key length -
2048 Bit.

Note: 2048 is the default key length in Windows Server 2008. This is because the
greater the key length, the more secure it is considered; however, when creating a CA
for Windows Server 2003, the default key length is 1024 Bit.

10. The CA Name, or Common Name as stated here, is placed on all certificates that the CA
signs. You see the domain and canonical name is placed in the server certificate. This is

6
 why, when you add this Role, you are not able to change the computer name or domain
membership, because that would compromise the common name that it signs
certificates with.

11. This screen specifies how long the CA private key will remain valid for, click Next.

12. Click Next.

7
13. Review the Roles and Role Services, then click Install.

14. Click Close and you will now have a CA for certificate Signing.

8
This is what you should see in Server Manager > Roles if you have installed the role
successfully:

When the Web Enrollment Role Service is added successfully, you should see the CertSrv
Virtual Directory within the IIS Manager, and it is accessible by typing: http://localhost/certsrv
Or http://ipaddressofCA/certsrv, if prompted, to authenticate enter the credentials of the Domain
or Local administrator, whichever one you installed the role as.

9
Creating a Web Server certificate using Server 2008
Generating a Certificate Signing Request using IIS 7.0

1. Navigate to Start > Administrative Tools > Internet Information Services Manager.
2. Highlight the IIS Homepage as seen on the left-hand side above, then on the right-hand
side, scroll down and click on Server Certificates.

3. There will be two certificates in the computer store already, 1) Created during the
installation of IIS and 2) Created during the installation of the CA role used to identify the
entity that signs certificate known as the Root certificate.
4. Click Create Certificate Request.

10
 5. Enter the common name of the certificate; it can me any word string as seen below and
click Next.
a. Remote.UpstartCompany.com
b. ABC.123.XYZ
c. Remote.myserver.xtrasecure.mil

A word on certificates
As stated above, the certificate can be any name, as long as it is resolvable by the client
through DNS or Hosts file (located at c:\windows\system32\drivers\etc\hosts).
Certificates are generally used by Web Servers to facilitate secure communication with a web
browser. For more reading please see:

HTTP Over TLS

http://www.apps.ietf.org/rfc/rfc2818.html,

The TLS Protocol Version 1.0

http://www.ietf.org/rfc/rfc2246.txt

11
6. Accept the default and click Next.

12
7. Save the CSR to a text file preferably the desktop by clicking the button and then
clicking Desktop.
8. Make the name is certreq and click Open.

13
9. Be sure that the certificate is in a place you have permission to save to and is easy to
access like the desktop, then click Finish. You now have you certificate request. The
next step is to send this request to a CA so that it may be signed.

14
Signing the CSR with your CA

1. After you have created the Certificate Signing Request, you must have it signed by a
CA. To accomplish this, open a web browser on the CA and navigate to
http://localhost/certsrv. If doing this from a machine other than the CA, enter the
following URL into the web browser: http://ipaddressofCA/certsrv
2. Under Select a task, click on Request a certificate.

15
3. We are creating a Web Server certificate, so choose advanced certificate request.

4. Click the second Option to Submit a certificate Request by using a base-64 encoded
CMC

16
5. Go to the CertReq.txt file, open it, and copy the contents as seen above, only copying
from to no whitespaces.

17
6. Paste the copied text into the Saved Request Field and in the Certificate Template
dropdown box, choose Web Server.

7. With the Radio bullet next to DER encoded, click on Download certificate.
8. Save it to the Desktop as Certnew.cer.

18
Attaching the Signed certificate with the Private key

1. Back in the Server Certificates node within the Homepage of IIS, click on Complete a
Certificate Request.

2. Click on and browse to the Certnew.cer file, (whatever you named the file that you
downloaded from the CA.

19
3. Click on the certificate received from the CA after submitting the CSR and click Open.

4. Give the Certificate a Friendly Name, this is how the certificate will show up in Microsoft
Certificate store and serves as a label this name is arbitrary.
5. Click OK.

20
You now have three certificates within the Server Certificates viewer, and are ready to download
the Root Certificate from the CA.

21
Downloading The Root CA certificate

1. In a browser, go to the Certificate Services Web enrollment tool.

2. Click Download a CA certificate, certificate chain, or CRL.

3. Click Download CA certificate also with DER encoding chosen.

22
4. Save As Rootcert.cer onto the desktop

23
Installing the Root CA Certificate

1. Open the Rootcert.cer that you saved to the Desktop.

2. On the General Tab, click on Install Certificate.
3. Click Next.

24
4. Place a bullet in the circle next to Place all certificates in the following store.
5. Click Browse.

6. Check the box next to Show physical store, then expand the Trusted Root
Certification Authorities > Local Computer and click OK.

25
7. Click Next.

8. Click Finish.

26
Installing Citrix Secure Gateway
Before we can begin the installation of Citrix Secure Gateway, we must ensure that port 443 is
not in use. After you install a server certificate, IIS automatically binds to port 443 with the
certificate, so we must remove the binding or change the port that it is using. As expected, there
is a Binding to 443 on the site, as can be seen below. For the purposes of this document, we
will be removing https binding.

1. Open IIS Manager and click on Default Web Site.

2. On the right-hand side, click on Bindings.

3. Scroll down, Highlight HTTPS,and click Remove.

Note: If you wanted to secure traffic between IIS and Citrix Secure Gateway, edit the binding
and change the port to 444 or some other non-well known TCP port. For best performance, it is
only recommended to secure traffic when IIS and Citrix Secure Gateway are on different servers

27
Notice that port 443 is no longer occupied because there is no binding for it under the Default
Web Site actions pane.

28
Installing Citrix Secure Gateway

1. Open and run the CSG_GWY executable file.

2. Follow setup recommendations and click Next.

3. Click Next.

29
4. We are installing only Secure Gateway, click Next.
Secure Gateway proxy is for use in a Dual-Hop DMZ and acts as a relay host for
communications from the second stage of the DMZ to the trusted network.

5. Click Next.

30
6. From the dropdown, change the installation Account to LocalSystem. This ensures the
service can run in the event of a Network Service Permission lockdown, which is
common in enterprise environments.

7. Click Next.

31
8. Click Finish and OK to the next dialogue box to begin the initial configuration.

9. Click OK.

32
Configuring Secure Gateway

1. Click Advanced and Next.

2. Select the Certificate that you created and click View.

Note: If you cannot get past this screen, then you did not complete the certificate request after
downloading the .cer file from the certsrv url by going to IIS and clicking Complete Certificate
signing request.

33
3. If you do not see the note You have the private key that corresponds to this certificate,
go to IIS Manager > IIS Homepage > Server Certificate > Complete Certificate
request then point to the certnew.cer. Give it a Friendly name.
4. If you do see the message, then click OK and Next.

5. Accept defaults and click Next.

34
6. Accept Defaults and click Next.

7. Accept defaults and click Next.

35
8. For the FQDN, enter the IP address or NetBIOS name of the XenApp server.
a. Leave the path as default.
b. If the XML service is sharing with IIS, click OK.
c. If the XML service is on a dedicated port, click the Use Default box and enter the
dedicated port that the XML service is on.

9. You should see an STA identifier after successful communication with the XenApp
server by the Citrix Secure Gateway. Make sure if your XenApp server is a Windows
Server 2008, that all three firewalls are turned off and that the XML service is started.

36
10. Click Next.

11. Accept defaults and click Next.

12. Accept defaults and click Next.

37
13. Specify how users will access Web Interface:
a. Indirect meaning: to access Web Interface securely, users enter the Fully
Qualified Domain Name of the certificate attached to secure gateway.
b. Direct meaning: users are able to access Web Interface by IP address or Fully
Qualified Domain Name of the Citrix Secure Gateway. Choose the default
settings because Citrix Secure Gateway and Web Interface should be on the
same machine for this lab.

38
 14. This page controls the level of logs that are written to the Windows event log console. It
is useful to look in the logs when troubleshooting service or network errors thought to be
caused by the gateway.

15. Click Finish to start the Secure Gateway.

Note: If the service does not start, make sure that no other process is running on the secure
socket port 443.

39
Modify the Hostfile so the Secure Gateway server can accept the
connections on the FQDN
Because the Secure Gateway listens for incoming connections by common name of a server
certificate, and that certificate name may or may not be the same as the full qualified domain
name of the machine, we have to ensure the localdns file on the Citrix Secure Gateway server
has a host entry in it and we can ping that name on the server and it resolves to itself.

1. Click Start and navigate to the file above c:\windows\system32\drivers\etc\hosts. Open

with Notepad.

40
2. Enter the following data:
Your hosts file, as seen above, IP address of your server, <tab>, SSL common name of
the certificate.
For example, the FQDN of my server, based on domain membership, is
csg.mojicalab.com and the SSL common name of my certificate is
remoteapps.mycsg.com. Normally, the SSL common name would not resolve to my IP
address, but by entering this entry into the hosts file, as seen above, it will. Save and
close.

41
3. Open a command line and ping the name you entered in the hostfile. It should resolve to
the local IP.

4. Open the Web Interface management console, highlight XenApp Web Sites > External
or XenApp > Secure Access.

42
 5. Select the default access method Gateway direct and click Edit.
Note: This wizard will configure Web Interface to generate launch.ica files that route user
connections through the gateway.

6. Enter the FQDN and uncheck the box for Enable session reliability.
7. Click Next.

43
8. Enter the same secure ticket authority STA as listed on Secure Gateway. If you
entered the IP address on Secure Gateway then enter the address here as well for Web
Interface. As you see above, the STA is listed by ip:port if XML is not sharing with IIS.

9. The Secure access tab should have a check next to Gateway Direct.

44
Making a connection through secure gateway

1. Open Internet explorer and go to the FQDN of Secure Gateway. You will see the Web
Interface logon page is secured, behind the name of the certificate.

2. Log on and launch your application.

45
3. After you application starts, go to the Connection Center. In the system tray, right-click
on the Citrix icon then click Connection Center.
4. Highlight the farm name, click properties on the right-hand side of the Connection
Center.

5. See that the encryption level is 256 Bit SSL/TLS.

46
6. Go to Start > All Programs > citrix > management consoles > Secure Gateway
Management console.

47
Creating a Web Server certificate with IIS 6.0

1. Open the Internet Information Server (ISS) 6.0 Manager.

2. Click on the Default Web Site.
3. Right click and choose Properties.

48
4. Once in Properties, notice there is no SSL port configured then go to Directory
Security

5. Click Server Certificate.

6. Click Next.

49
7. Accept the defaults and click Next.

50
8. Give the certificate a friendly name and accept the default Bit length.
9. Click Next.

10. Complete the required fields.

11. Click Next.

51
12. Enter the name of your certificate, known as the common name or FQDN.

13. Complete the required fields.

14. Click Next.

52
15. Accept the defaults.
16. Click Next.

17. Review the entries.

18. Click Next.

53
19. Click Finish.

54
Sending the request to be signed

1. Copy the text from the certreq.txt file in the root of the c:\ drive the on the Windows 2003
CA server. Go to the http://localhost/certsrv URL .
2. Click Request a certificate.

3. Click advanced certificate request.

4. Click Submit a certificate request by using a base 64 encoded CMC.

55
5. Paste the certificate into the Saved Request field.
6. For certificate template, choose Web Server.
7. Click Submit.

8. Choose DER Encoded then click Download.

56
Completing the Certificate request

1. Go to the Properties of the Default website again within IIS 6.0 Manger.
2. Click Server Certificate.
3. Click Next.

4. Choose the option to Process the pending request and install the certificate.

57
5. Click Browse.
6. Navigate to the location where the certnew.cer file was downloaded to, default path is
the root of the c:\ drive.

7. Change the SSL port to 444. This is required if Secure Gateway will listen on port 443.

58
8. Click Next.
9. Click Finish.

10. View the completed certificate by clicking View Certificate.

59
11. You should see You have the private key that corresponds to the certificate. This
means that the signed certificate has been successfully bound to the paired private key,
creating a complete web server certificate.

60