Citrix Web Interface 4.6 is an ASP.Net 2.0 application that provides access to Citrix Published Applications via a web browser. When deployed by itself, Internet Based users require direct ICA (TCP Port 1494) or Common Gateway Protocol (TCP Port 2598) Communication with each Citrix Server hosting their published applications. Since this involves allowing secure communications from the Public Internet into the Private Network and opening firewall ports. Additionally it requires that the client can successfully communicate over ports 1494 or 2598.
Citrix Secure Gateway 3.0 (CSG) is a Reverse Proxy that provides secure remote access to Citrix Published Applications over SSL (TCP Port 443). When deployed in a DMZ it solves the security and access problems previously listed, i.e. the client only needs to be able to contact the CSG over port 443 and the CSG communicates on behalf of the clients with the Citrix Servers on the Private Network. No communication happens between the Public Internet and Private/Corporate Network.
Both Citrix Web Interface and Secure Gateway are available to Citrix Presentation Server Customers viahttp://www.mycitrix.com.
Software pre-requisites (for the machine to host Web Interface 4.6 and Secure Gateway 3.0):
- Windows Server OS, i.e. 2003 Web or 2003 Standard Edition.
- IIS w/ ASP.Net
- Net Framework 2.0
- Microsoft Visual J# Version 2.0 Redistributable Package
- Access Management Console for Presentation Server 4.5 (Framework only)
- Web Interface 4.6 Access Management Console Extension
- 3rd Party SSL Server Certificate (i.e. from Verisign, Thawte, GeoTrust, GoDaddy...)
Hardware Requirements:
- Server capable of running Windows Server OS w/ IIS
- Firewall with DMZ an available DMZ Port
Web Interface 4.6 for Windows - Installation and Configuration
The initial installation and configuration of the Web Interface / Secure Gateway Server should be performed on the Private Network, to ensure that all components are working properly before moving the server to the DMZ. Since the server’s final destination is in the DMZ, the server should NOT be a domain member.
After installing software pre-requisites 1 through 6, download and launch the Web Interface installation program (WebInterface.exe). Install Web Interface and accept the defaults.
Download the Citrix Web Client and place ica32web.msi in “C:\Program Files\Citrix\Web Interface\4.6\Clients\ica32\”.
Download the Citrix Java Client and place the components in “C:\Program Files\Citrix\Web Interface\4.6\Clients\icajava\”.
Launch the Access Management Console (AMC). The first time the AMC is run, discovery is performed to identify the components that will be managed.
Select the option, “Do not contact servers running the configuration service”, unless you want to centrally store the Web Interface Configuration (refer to the Web Interface Administrators Guide).
After the discovery process completes, right click on the Web Interface node on the left pane of the AMC -> Select “Create Site”.
Select the default option for Site Type (Access Platform Site).
On the Specify IIS Location step of the site creation, check the option “Set as the default page for the IIS site”. Accept the defaults for the rest of the Create Site process.
After the site is created, the initial settings must be configured. On this screen, enter the name of the Citrix Farm, then enter at least one server from the Citrix Farm with which the Web Interface will communicate. The Web Interface communicates with the XML Service on the configured Citrix Server via the Farm XML Port (80 is the default). Refer to the Citrix Server Farm Properties in the Presentation Server Console if unsure what port number to enter.
Best practice would be to enter at least two XML Servers (for redundancy) and to enter Citrix Servers configured as Data Collectors. When a user enters their credentials to log on to the Web Interface, the Web Interface communicates with the XML Service to authenticate the user and return the Application Set for that user.
XML Servers can be entered as their NetBIOS, FQDN or IP Address, depending on which name resolution mechanism is in place. Since the server will end up in the DMZ, entering the IP Address requires the fewest open ports (between the DMZ and Private Network).
On the “Select Application Type” screen, select “Remote”, unless you plan to use the Presentation Server 4.5 Application Streaming Feature to stream applications to client computers. Accept the defaults for the remainder of the Initial Configuration Wizard.
At this point the Citrix Web Interface is ready to be tested, to ensure that it’s been configured correctly. To test that the Web Interface is working, open Internet Explorer on the Web Interface Server and browse to http://localhost. Without any further configuration, one should be able to successfully log on and launch applications from the configured Citrix Farm.
After successfully entering logon credentials, one should be presented with the following Citrix Client Detection Wizard (if no Citrix Client is installed).
Clicking the “Detect Client” button initiates a scan to check the client computer for an installed Citrix Client. If no client is detected, the user is presented with the following screen where the Citrix Web Client installation can be started.
If the end user clicks the “Download” button, the Citrix Web Client installation package is loaded from “C:\Program Files\Citrix\Web Interface\4.6\Clients\ica32\ica32web.msi” on the Web Interface Server.
Click “Run” and proceed with the Client Installation. After the installation is complete, the end user is presented with the following screen.
Click “Successful” to be taken to the client’s application set.
Click on one of the applications. If the application launches, the basic configuration of Citrix Web Interface was successful. The next step is to obtain an SSL Server Certificate which will be used by Citrix Secure Gateway.
SSL Server Certificate Configuration
Since Citrix Secure Gateway is used to provide secure remote access, a Trusted 3rd Party SSL Server Certificate is required. To obtain the certificate, launch Computer Management and navigate to Services and Applications -> Internet Information Services (IIS) Manager -> Web Sites -> Default Web Site -> Properties -> Directory Security.
Click on the “Server Certificate” button to start the “Web Server Certificate Wizard”. Select “Next -> Create a new certificate -> Prepare the request now, but send it later.
In the name field, enter a friendly name that accurately describes what the certificate will be used for, i.e. “Citrix Secure Gateway”. Click Next.
The information on the Organization Information page is what will display on the SSL Certificate when viewed by the end user.
The Site Common Name is the most important piece of information that is entered. It MUST match the Fully Qualified Domain Name that will be addressed by the end user. It need not be the same as the NetBIOS Name of the Server, but DNS must be configured to resolve this name to the server being configured.
On the Geographical Information Screen it is important that the “State/province” be completely spelled, as the request will not be accepted by the 3rd Party Certificate Authority if the State/province is abbreviated.
The information entered in the IIS Certificate Wizard outputs to a text file, whose content is submitted to the 3rd Party Certificate Authority via their online certificate purchase form.
After purchasing the SSL Server Certificate from your preferred Certificate Authority, the Certificate needs to be installed on the Web Interface / Secure Gateway Server. The following steps may differ slightly, depending on the vendor, but in this example we’ll use certificates from GoDaddy.com. GoDaddy supplies two certificates, an Intermediate Certificate Authority and the SSL Server Certificate that was purchased. Per the instructions from the vendor we open the Certificates Management Console via Start -> Run -> MMC -> File -> Add/Remove Snap-in -> Add -> Certificates -> Add -> Computer Account -> Next -> Local Computer -> Finish.
Right click on the “Intermediate Certification Authorities”, navigate to All Tasks -> Import -> Browse and select the Root Certificate supplied by the vendor.
Click Next and Accept the Default Location of Intermediate Certification Authorities.
Click Next to Complete the Certificate Import.
Open IIS Manager -> Web Sites -> Default Web Site -> Properties -> Directory Security -> Server Certificate.
Click “Next” to continue with the Web Server Certificate Wizard.
Select “Process the pending request and install the certificate”. Click “Next” to continue.
Browse to, or enter the path to the downloaded SSL Server Certificate. Click “Next” to continue.
Change the “SSL port this web site should use” from 443, to 444 or another unused port. It is very important NOT to accept the default port of 443, as this port will be used by Citrix Secure Gateway.
To test that the SSL Certificate has been properly installed and that IIS has been configured correctly, restart IIS via “Start -> Run -> cmd -> IISRESET”. After IIS restarts, browse to https://FullyQualifiedDomainName:444. This is NOT the URL clients will enter, as they will connect to the Citrix Secure Gateway on the standard HTTPS Port (443). This is only being done to ensure that the certificate was properly installed and that the Citrix Web Interface still works. A DNS Host (A) or Alias (Cname) record must be configured to resolve the Fully Qualified Domain Name to the IP Address of the server being configured for the web page to display correctly.
In part two of this article we’ll go over the installation and configuration of Citrix Secure Gateway, as well as the required firewall configuration.
If you would like to read the next part of this article series pelase go to How To: Install and Configure Citrix Web Interface 4.6 and Citrix Secure Gateway on the same server (Part 2).
hi sree i need ur help. can u send ur email id to my mail id vanjari.naresh1@gmail.com
ReplyDelete