Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
www.citrix.com
Contents
Introduction ................................................................................................................................ 2
What you will need ..................................................................................................................... 2
Preparing the environment for Secure Gateway ......................................................................... 2
Installing a CA using Windows Server 2008 ............................................................................... 2
Creating a Web Server certificate using Server 2008 ................................................................10
Generating a Certificate Signing Request using IIS 7.0 ......................................................10
A word on certificates .........................................................................................................11
Signing the CSR with your CA ..................................................................................................15
Attaching the Signed certificate with the Private key .................................................................19
Downloading The Root CA certificate........................................................................................22
Installing the Root CA Certificate...............................................................................................24
Installing Citrix Secure Gateway ...............................................................................................27
Installing Citrix Secure Gateway ...............................................................................................29
Configuring Secure Gateway ....................................................................................................33
Modify the Hostfile so the Secure Gateway server can accept the connections on the FQDN...40
Making a connection through secure gateway...........................................................................45
Creating a Web Server certificate with IIS 6.0 ...........................................................................48
Sending the request to be signed ..............................................................................................55
Completing the Certificate request ............................................................................................57
1
Introduction
Secure Gateway is the defacto standard for facilitating secure remote access of remote users to
Citrix hosted applications. Citrix Secure Gateway is an application that runs as a service on a
server that is deployed in the DMZ for maximum security. If cost or storage is an issue, Secure
Gateway can also be installed on a XenApp server and the effect on performance will depend
on the number of users connecting. The Citrix recommended maximum users tested on a
standalone server is 250 connections. It is assumed you already have a server running XenApp
with Web Interface configured to point to that server as an XML broker. This document guides
you through installing a Certificate Authority (CA), generating a certificate for use with Secure
Gateway, installing and configuring Secure Gateway, and launching an application through the
gateway.
In my example, the Certificate Authority (CA) is on the XenApp server. For security purposes,
the CA would be the domain controller or a dedicated server.
2
1. On your Windows 2008 server, begin by clicking Start > Server Manager.
2. Within the Server Manager Console, highlight Roles on the left-hand side then click Add
Roles on the right-hand side.
3. Check the box next to Active Directory Certificate Services then click Next.
3
4. Read the overview of the Role you are adding; specifically, the part that mentions after
adding the Role, you will not be able to change the computer name domain membership
or promote the server to be a domain controller, then click Next.
5. Select the box next to the following Role Services, then click Next
a. Certification Authority
b. Certification Authority Web Enrollment
c. Online Responder
6. For Setup type, we are creating an Enterprise CA that will be the Root, click Next.
4
7. Root CA and Next.
8. Create a new private key for certificate signing and click Next.
5
9. We will use the default cryptographic service provider RSA, and default key length -
2048 Bit.
Note: 2048 is the default key length in Windows Server 2008. This is because the
greater the key length, the more secure it is considered; however, when creating a CA
for Windows Server 2003, the default key length is 1024 Bit.
10. The CA Name, or Common Name as stated here, is placed on all certificates that the CA
signs. You see the domain and canonical name is placed in the server certificate. This is
6
why, when you add this Role, you are not able to change the computer name or domain
membership, because that would compromise the common name that it signs
certificates with.
11. This screen specifies how long the CA private key will remain valid for, click Next.
7
13. Review the Roles and Role Services, then click Install.
14. Click Close and you will now have a CA for certificate Signing.
8
This is what you should see in Server Manager > Roles if you have installed the role
successfully:
When the Web Enrollment Role Service is added successfully, you should see the CertSrv
Virtual Directory within the IIS Manager, and it is accessible by typing: http://localhost/certsrv
Or http://ipaddressofCA/certsrv, if prompted, to authenticate enter the credentials of the Domain
or Local administrator, whichever one you installed the role as.
9
Creating a Web Server certificate using Server 2008
Generating a Certificate Signing Request using IIS 7.0
1. Navigate to Start > Administrative Tools > Internet Information Services Manager.
2. Highlight the IIS Homepage as seen on the left-hand side above, then on the right-hand
side, scroll down and click on Server Certificates.
3. There will be two certificates in the computer store already, 1) Created during the
installation of IIS and 2) Created during the installation of the CA role used to identify the
entity that signs certificate known as the Root certificate.
4. Click Create Certificate Request.
10
5. Enter the common name of the certificate; it can me any word string as seen below and
click Next.
a. Remote.UpstartCompany.com
b. ABC.123.XYZ
c. Remote.myserver.xtrasecure.mil
A word on certificates
As stated above, the certificate can be any name, as long as it is resolvable by the client
through DNS or Hosts file (located at c:\windows\system32\drivers\etc\hosts).
Certificates are generally used by Web Servers to facilitate secure communication with a web
browser. For more reading please see:
11
6. Accept the default and click Next.
12
7. Save the CSR to a text file preferably the desktop by clicking the button and then
clicking Desktop.
8. Make the name is certreq and click Open.
13
9. Be sure that the certificate is in a place you have permission to save to and is easy to
access like the desktop, then click Finish. You now have you certificate request. The
next step is to send this request to a CA so that it may be signed.
14
Signing the CSR with your CA
1. After you have created the Certificate Signing Request, you must have it signed by a
CA. To accomplish this, open a web browser on the CA and navigate to
http://localhost/certsrv. If doing this from a machine other than the CA, enter the
following URL into the web browser: http://ipaddressofCA/certsrv
2. Under Select a task, click on Request a certificate.
15
3. We are creating a Web Server certificate, so choose advanced certificate request.
4. Click the second Option to Submit a certificate Request by using a base-64 encoded
CMC
16
5. Go to the CertReq.txt file, open it, and copy the contents as seen above, only copying
from to no whitespaces.
17
6. Paste the copied text into the Saved Request Field and in the Certificate Template
dropdown box, choose Web Server.
7. With the Radio bullet next to DER encoded, click on Download certificate.
8. Save it to the Desktop as Certnew.cer.
18
Attaching the Signed certificate with the Private key
1. Back in the Server Certificates node within the Homepage of IIS, click on Complete a
Certificate Request.
2. Click on and browse to the Certnew.cer file, (whatever you named the file that you
downloaded from the CA.
19
3. Click on the certificate received from the CA after submitting the CSR and click Open.
4. Give the Certificate a Friendly Name, this is how the certificate will show up in Microsoft
Certificate store and serves as a label this name is arbitrary.
5. Click OK.
20
You now have three certificates within the Server Certificates viewer, and are ready to download
the Root Certificate from the CA.
21
Downloading The Root CA certificate
22
4. Save As Rootcert.cer onto the desktop
23
Installing the Root CA Certificate
24
4. Place a bullet in the circle next to Place all certificates in the following store.
5. Click Browse.
6. Check the box next to Show physical store, then expand the Trusted Root
Certification Authorities > Local Computer and click OK.
25
7. Click Next.
8. Click Finish.
26
Installing Citrix Secure Gateway
Before we can begin the installation of Citrix Secure Gateway, we must ensure that port 443 is
not in use. After you install a server certificate, IIS automatically binds to port 443 with the
certificate, so we must remove the binding or change the port that it is using. As expected, there
is a Binding to 443 on the site, as can be seen below. For the purposes of this document, we
will be removing https binding.
27
Notice that port 443 is no longer occupied because there is no binding for it under the Default
Web Site actions pane.
28
Installing Citrix Secure Gateway
3. Click Next.
29
4. We are installing only Secure Gateway, click Next.
Secure Gateway proxy is for use in a Dual-Hop DMZ and acts as a relay host for
communications from the second stage of the DMZ to the trusted network.
5. Click Next.
30
6. From the dropdown, change the installation Account to LocalSystem. This ensures the
service can run in the event of a Network Service Permission lockdown, which is
common in enterprise environments.
7. Click Next.
31
8. Click Finish and OK to the next dialogue box to begin the initial configuration.
9. Click OK.
32
Configuring Secure Gateway
33
3. If you do not see the note You have the private key that corresponds to this certificate,
go to IIS Manager > IIS Homepage > Server Certificate > Complete Certificate
request then point to the certnew.cer. Give it a Friendly name.
4. If you do see the message, then click OK and Next.
34
6. Accept Defaults and click Next.
35
8. For the FQDN, enter the IP address or NetBIOS name of the XenApp server.
a. Leave the path as default.
b. If the XML service is sharing with IIS, click OK.
c. If the XML service is on a dedicated port, click the Use Default box and enter the
dedicated port that the XML service is on.
9. You should see an STA identifier after successful communication with the XenApp
server by the Citrix Secure Gateway. Make sure if your XenApp server is a Windows
Server 2008, that all three firewalls are turned off and that the XML service is started.
36
10. Click Next.
37
13. Specify how users will access Web Interface:
a. Indirect meaning: to access Web Interface securely, users enter the Fully
Qualified Domain Name of the certificate attached to secure gateway.
b. Direct meaning: users are able to access Web Interface by IP address or Fully
Qualified Domain Name of the Citrix Secure Gateway. Choose the default
settings because Citrix Secure Gateway and Web Interface should be on the
same machine for this lab.
38
14. This page controls the level of logs that are written to the Windows event log console. It
is useful to look in the logs when troubleshooting service or network errors thought to be
caused by the gateway.
39
Modify the Hostfile so the Secure Gateway server can accept the
connections on the FQDN
Because the Secure Gateway listens for incoming connections by common name of a server
certificate, and that certificate name may or may not be the same as the full qualified domain
name of the machine, we have to ensure the localdns file on the Citrix Secure Gateway server
has a host entry in it and we can ping that name on the server and it resolves to itself.
40
2. Enter the following data:
Your hosts file, as seen above, IP address of your server, <tab>, SSL common name of
the certificate.
For example, the FQDN of my server, based on domain membership, is
csg.mojicalab.com and the SSL common name of my certificate is
remoteapps.mycsg.com. Normally, the SSL common name would not resolve to my IP
address, but by entering this entry into the hosts file, as seen above, it will. Save and
close.
41
3. Open a command line and ping the name you entered in the hostfile. It should resolve to
the local IP.
4. Open the Web Interface management console, highlight XenApp Web Sites > External
or XenApp > Secure Access.
42
5. Select the default access method Gateway direct and click Edit.
Note: This wizard will configure Web Interface to generate launch.ica files that route user
connections through the gateway.
6. Enter the FQDN and uncheck the box for Enable session reliability.
7. Click Next.
43
8. Enter the same secure ticket authority STA as listed on Secure Gateway. If you
entered the IP address on Secure Gateway then enter the address here as well for Web
Interface. As you see above, the STA is listed by ip:port if XML is not sharing with IIS.
9. The Secure access tab should have a check next to Gateway Direct.
44
Making a connection through secure gateway
1. Open Internet explorer and go to the FQDN of Secure Gateway. You will see the Web
Interface logon page is secured, behind the name of the certificate.
45
3. After you application starts, go to the Connection Center. In the system tray, right-click
on the Citrix icon then click Connection Center.
4. Highlight the farm name, click properties on the right-hand side of the Connection
Center.
46
6. Go to Start > All Programs > citrix > management consoles > Secure Gateway
Management console.
47
Creating a Web Server certificate with IIS 6.0
48
4. Once in Properties, notice there is no SSL port configured then go to Directory
Security
6. Click Next.
49
7. Accept the defaults and click Next.
50
8. Give the certificate a friendly name and accept the default Bit length.
9. Click Next.
51
12. Enter the name of your certificate, known as the common name or FQDN.
52
15. Accept the defaults.
16. Click Next.
53
19. Click Finish.
54
Sending the request to be signed
1. Copy the text from the certreq.txt file in the root of the c:\ drive the on the Windows 2003
CA server. Go to the http://localhost/certsrv URL .
2. Click Request a certificate.
55
5. Paste the certificate into the Saved Request field.
6. For certificate template, choose Web Server.
7. Click Submit.
56
Completing the Certificate request
1. Go to the Properties of the Default website again within IIS 6.0 Manger.
2. Click Server Certificate.
3. Click Next.
4. Choose the option to Process the pending request and install the certificate.
57
5. Click Browse.
6. Navigate to the location where the certnew.cer file was downloaded to, default path is
the root of the c:\ drive.
7. Change the SSL port to 444. This is required if Secure Gateway will listen on port 443.
58
8. Click Next.
9. Click Finish.
59
11. You should see You have the private key that corresponds to the certificate. This
means that the signed certificate has been successfully bound to the paired private key,
creating a complete web server certificate.
60