Learning the Basics of Citrix XenApp 5 Feature Pack 3 for Windows Server 2003 and XenServer 5.6 Part 10 of 12
Using Citrix Secure Gateway
In Part 9, you learned to allow external access to the published applications using the AltAddr method. In this Part, you will learn how to:
- Generate an SSL certificate request,
- Purchase an SSL Certificate from GoDaddy,
- Complete the certificate request,
- Test the certificate,
- Install and configure Citrix Secure Gateway, and then
- Test external and internal secure access to published applications.
Using Citrix Secure Gateway (CSG) is better than using AltAddr because CSG is SSL based and helps to secure the logon and data traffic. CSG is also easy to install and configure
Remove Altaddr Settings
When you completed Part 9 you were in the Citrix Web Interface Management Console (WIMC). Before CSG can be installed and configured, the AltAddr configuration settings need to be removed.
Click XenApp Web Sites in the left column, your XenApp site in the middle column and Secure Access in the right column, or Action Pane (Figure 10-1).
We need to change the Default access method from the Alternate method back to Direct. The current Direct method needs to be removed and the current Alternate method needs to be changed back to Direct.
Click the line that has Direct for the access method and click Remove (Figure 10-2).
Click the Default/Alternate line and click Edit… (Figure 10-3).
Click the dropdown box, select Direct and click OK (Figure 10-4).
Click Finish (Figure 10-5).
The only access method at this time is now the original default method of Direct access.
Now the AltAddr assigned to the server’s network interface needs to be removed.
Open a command prompt window. Type in altaddr /delete InternalIPAddress and press Enter. Substituting your real Internal IP Address. Type in altaddr and press Enter. Your results should be similar to Figure 10-6.
Type exit and press Enter to close the command prompt window.
CSG uses SSL so TCP ports 1494 and 2598 no longer need to be opened on your router and or firewall.
Your router and or firewall need to be configured to allow the necessary ports through.
Port Protocol 80 HTTP 443 HTTPS (SSL) 3389 Remote Desktop (optional)
Here is my router configuration (Figure 10-7).
Minimize the WIMC.
Generate SSL Certificate Request
Click Start -> Administrative Tools -> Internet Information Services (IIS) Manager (Figure 10-8).
Expand Web Sites (Figure 10-9).
Select Default Web Site (Figure 10-10).
Right-click Default Web Site and click Properties (Figure 10-11).
Click the Directory Security tab and click Server Certificate… (Figure 10-12).
The Web Server Certificate Wizard starts. Click Next (Figure 10-13).
Select Create a new certificate and click Next (Figure 10-14).
Click Next (Figure 10-15).
You can type in any Name for the new certificate on Figure 10-16. I use citrix.domain.tld or for my certificate, citrix.websterslab.com. For GoDaddy.com SSL certificates, the Bit length must be 2048 or higher. Select a suitable Bit length value and click Next.
Note: For compatibility with future versions of IIS, a Bit length of 4096 is recommended.
For GoDaddy, you can enter anything for Organization and Organizational unit (Figure 10-17). They should either be very easy for you to remember or should be documented in your Change Control processes. If you ever need to rekey your certificate, you will need this information. If what you enter during the GoDaddy rekeying process does not match what you enter here, the rekeying will not be allowed by GoDaddy. I prefer to keep everything simple and enter citrix.domain.tld or for my certificate, both fields will be citrix.websterslab.com.
Enter your Organization, Organizational unit and click Next.
Note: Other SSL providers may require these fields to map to the information contained in the domain WHOIS information.
For Your Site’s Common Name, enter citrix.domain.tld or for my certificate, citrix.websterslab.com and click Next (Figure 10-18).
Select your Country/Region, enter your State/province, City/locality and click Next (Figure 10-19).
Note: Other SSL providers may require the State/province to be spelled out.
By default, the Certificate Request File Name is saved as c:\certreq.txt. The IIS Certificate Wizard allows you to specify a different location and filename of your choice. Either enter a new file name or accept the default and click Next (Figure 10-20).
Verify the information on the Request File Summary page is correct. If anything needs to be corrected, click Back and make any necessary corrections. If all the information is correct, click Next (Figure 10-21).
Click Finish to complete the certificate request and generate the file (Figure 10-22).
Leave the Default Web Site Properties page up. Click Start, Run and type in the path and filename for your certificate request file. If you accepted the default, type in c:\certreq.txt and press Enter (Figure 10-23). This will open the file in Notepad (Figure 10-24).
Press Ctrl-A to select the entire certificate request and press Ctrl-C to copy the file contents to the server’s clipboard (Figure 10-25). Do not change anything in this file. Doing so will invalidate the certificate request process and you will need to start over.
Purchase SSL Certificate
Exit Notepad, start Internet Explorer and go to http://www.godaddy.com (Figure 10-26).
Log in to your account and click on SSL Certificates (Figure 10-27).
Scroll down and under Standard SSL, select Single — List Price $49.99/yr, then the number of years you wish your certificate to be valid and click Add (Figure 10-28).
You can safely bypass all the extra deals GoDaddy tries to sell you. Nothing else is needed for your SSL Certificate to work with the Citrix Secure Gateway and Web Interface.
Scroll down to the bottom of the screen and click “No thanks” (Figure 10-29).
Enter any promo codes you have, select your payment method and check the box by I have read and agree to the terms of the Universal Terms of Service and click Continue With Checkout (Figure 10-30).
Enter the information for your payment method and complete that process (No, I’m not showing you mine!).
When the payment process is complete, click Login to Begin Using Your Products (Figure 10-31).
Once back on the main account page, you should have an alert showing to start the process to setup your SSL Certificate. Click the link Get Started (Figure 10-32).
On the Managing Secure Certificates screen, click the link to “Use Credit” for your new certificate (Figure 10-33).
The Set up New Certificate wizard starts. Click Continue (Figure 10-34).
Click Close on the Thank You! popup (Figure 10-35).
Back on the Managing Secure Certificates Control Panel, click the Manage Certificate link for the New Certificate (Figure 10-36).
Note: It may take a few minutes before your new certificate shows up in the list.
A new browser window opens up. Click Request Certificate (Figure 10-37).
Select Third Party or Dedicated/Virtual Dedicated Server w/o Simple Control Panel, click in the CSR box and press Ctrl-V, make sure the certificate issuing organization is Go Daddy and click Next (Figure 10-38).
Verify the information is correct and click Next (Figure 10-39). If the information is not correct, click Back and correct the information.
Click Finished (Figure 10-40).
You will receive an e-mail from Go Daddy in a few minutes telling you “Your SSL Certificate Has Been Issued”.
Back on the Manage Certificates control panel, select your new SSL Certificate and click the Download arrow (Figure 10-41).
Select IIS6 from the dropdown box and click Download Certificate for IIS6 (Figure 10-42).
Open the file… (Figure 10-43).
And extract the files to c:\sslcert (Figure 10-44).
Click Close (Figure 10-45).
Log out of GoDaddy.com and close all browser windows.
Install SSL Certificate into Windows
Click Start, Run, type in MMC and press Enter (Figures 10-46 and 10-47).
Click File and Add/Remove Snap-in… (Figure 10-48).
Click Add… (Figure 10-49).
Click Certificates and click Add (Figure 10-50).
Select Computer account and click Next (Figure 10-51).
Select Local computer and click Finish (Figure 10-52).
Click Close to close the Add Standalone Snap-in dialog (Figure 10-53).
Click OK to return to the main MMC Window (Figure 10-54).
Click the “+” to expand the Certificates folder (Figure 10-55).
Right-click on Intermediate Certification Authorities, choose All Tasks and click Import… (Figure 10-56).
Click Next (Figure 10-57).
Click Browse… (Figure 10-58).
Change the “Files of type” dropdown to PKCS #7 Certificates (*.spc, *.p7b) (Figure 10-59).
Browse to the location you extracted and saved your certificate files, select your certificate file and click Open (Figure 10-60).
Click Next (Figure 10-61).
Select Place all certificates in the following store and make sure the Certificate store is Intermediate Certification Authorities and click Next (Figure 10-62).
Click Finish on the Certificate Import Wizard (Figure 10-63).
Click OK (Figure 10-64).
Click the “+” next to Trusted Root Certification Authorities and click Certificates (Figure 10-65).
Scroll down, right-click Go Daddy Class 2 Certification Authority and select Properties (Figure 10-66).
Note: The Go Daddy Class 2 Certification Authority may not be there. Do not worry if it is not there.
Select Disable all purposes for this certificate and click OK (Figure 10-67).
Exit the MMC console without saving changes.
Install SSL Certificate into IIS
Click on Default Web Site Properties dialog and click Server Certificate… (Figure 10-68).
Click Next (Figure 10-69).
Select Process the pending request and install the certificate and click Next (Figure 10-70).
Click Browse… to locate your certificate file (Figure 10-71).
Change the Files of type to All files (*.*) (Figure 10-72).
Find and select your GoDaddy “crt” certificate file and click Open (Figure 10-73).
Click Next (Figure 10-74).
Citrix Secure Gateway will process all incoming SSL traffic on Port 443 so the SSL Port that IIS uses must be changed. Type in 444 and click Next (Figure 10-75).
Note: This is one of the most common problems that keeps Citrix Secure Gateway from working. Citrix Secure Gateway MUST have Port 443 reserved for its use. IIS MUST use a different Port for SSL.
Verify the information on the Certificate Summary page is correct and click Next (Figure 10-76).
Click Finish (Figure 10-77).
Click OK (Figure 10-78).
Exit Internet Information Services Manager.
Verify SSL Certificate
To verify the SSL Certificate was installed properly, you may need to create an entry in your Web Interface server’s Host file. Click Start, Run and type in Notepad %systemroot%\system32\drivers\etc\hosts and press Enter (Figure 10-79).
Go to the bottom of the Hosts file and type 127.0.0.1, press Tab and type in the Fully Qualified Domain Name your users will use to access the Citrix Secure Gateway. For me that is citrix.websterslab.com (Figure 10-80).
Save the changes and exit Notepad.
Open your Internet browser and go to https://FullyQualifiedDomainName:444. For me, I went to https://citrix.websterslab.com:444 (Figure 10-81). Note the SSL Padlock icon.
Click the Padlock icon and click View certificates. (Figure 10-82).
Click each of the three tabs (Figures 10-83, 10-84 and 10-85).
Click OK and log in to the Web Interface (Figure 10-86).
You can test running any published application if you wish. Log off the Web Interface and exit your Internet browser.
Install Citrix Secure Gateway
CSG has been updated to version 3.2 in Feature Pack 3. To start the installation of CSG 3.2 click Start -> Run, type in c:\fp3\Secure Gateway\Windows\CSG_GWY.msi and press Enter (Figure 10-87).
Click Next (Figure 10-88).
Select I accept the license agreement and click Next (Figure 10-89).
Select Secure Gateway and click Next (Figure 10-90).
Click Next to accept the default installation folder (Figure 10-91).
Citrix Best Practice is to place the Secure Gateway/Web Interface server in the DMZ and the server should not be a domain member. Since this server is an Internet facing server it should be protected by all means possible. This includes using an account that has the least possible privileges and not putting the server on your internal network.
On the Service Account page you have the option of running the Secure Gateway service under Local System or Network Service accounts. What is the difference and which one should be chosen? According to http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx, the Local System account runs at a very high privilege level. The article recommends using the Network Service account if a high privilege level is not needed. The Secure Gateway service does not need, and should not be given, such a high privilege level. According to http://msdn.microsoft.com/en-us/library/ms684272(VS.85).aspx, the Network Service account has very few privileges. You should seriously consider using the Network Service account for the Secure Gateway service. It is very odd that this important decision is barely mentioned in the Secure Gateway for Windows Administrator’s Guide or any Citrix Support Tech Notes.
Using the Network Service account reduces the attack surface should your Secure Gateway/Web Interface server be hacked. Since this account has no domain privileges it will make it harder for an attacker to compromise your domain.
If you do decide to place the Secure Gateway/Web Interface server on your internal network, then you must use the Network Service account.
Select NETWORK SERVICE from the dropdown list and click Next (Figure 10-92).
Verify the install options (Figure 10-93). If any corrections need to be made, click Back and make the necessary corrections. If everything is correct, click Next.
Click Finish (Figure 10-94).
Click OK to start the Secure Gateway Configuration wizard (Figure 10-95).
Configure Citrix Secure Gateway
Click OK to start configuring Secure Gateway (Figure 10-96).
The Standard configuration does not allow us to set, or verify, all the necessary options. Select Advanced and click Next (Figure 10-97).
Select your SSL certificate and click Next (Figure 10-98). Click View… to view the information about your certificate. This is the same information that was seen in Figures 10-83, 10-84 and 10-85.
For “Select secure protocol“, select Secure Sockets Layer (SSLv3) and TLSv1. For “Select cipher suite“, select All and click Next (Figure 10-99).
If you have a single network card with a single IP address, you can select Monitor all IPv4 addresses (Figure 10-100). If you have multiple network cards and or multiple IP addresses on this server, unselect Monitor all IPv4 addresses, click Add and add the network interface(s) you wish to monitor for TCP port 443 traffic.
Secure Gateway will handle all TCP port 443 traffic and IIS handles SSL traffic on TCP port 444 (or whatever you selected earlier). Enter 443 for the TCP port and click Next.
Note: IPv6 is only supported under Windows Server 2008.
Select No outbound traffic restrictions and click Next (Figure 10-101).
The Secure Ticket Authority (STA) is installed on every XenApp server. If you have multiple XenApp servers enter as many XenApp servers as you like to provide failover. Best practice is to list a dedicated Most Preferred Data Collector and backup Data Collector.
Click Add (Figure 10-102).
Note: Secure Ticket Authority (STA) is part of the XML Service that runs on all XenApp servers.
Enter citrixone for the Fully Qualified Domain Name (FQDN) and click OK (Figure 10-103).
Click Next (Figure 10-104).
By default, Secure Gateway is limited to 250 concurrent connections. I would not recommend increasing this limit. If you need more than 250 concurrent connections you should seriously consider Citrix’s hardware solution the Citrix Access Gateway.
Accept the defaults and click Next (Figure 10-105).
If you have any hardware load balancing appliances in front of your Secure Gateway/Web Interface server, enter the IP addresses here to exclude them from generating even log entries and click Next (Figure 10-106).
Since the Secure Gateway and Web Interface are installed on the same server, select Indirect:…, check Installed on this computer and click Next (Figure 10-107).
Select the level of logging you wish to receive from the Secure Gateway service and click Next (Figure 10-108).
Check to Start the Secure Gateway service and click Finish (Figure 10-109).
Exit the Explorer windows and the Citrix XenApp installation program.
Configure Web Interface Site to use Citrix Secure Gateway
To test external access to published applications, you will need a public DNS name for the server. Mine is citrix.websterslab.com. I use DynDNS to allow the use of a dynamic Public IP address for my lab server. In your router or firewall TCP port 443 must be routed from the Public IP address to the internal IP address of the Citrix Secure Gateway/Web Interface server.
Internet -> Public IP address -> Router/Firewall -> TCP Port 443 -> Private IP address
Internet -> 69.x.y.z -> Router/Firewall -> TCP Port 443 -> 192.168.1.105
Restore the Web Interface Management Console. In the Action pane under XenApp — Edit Settings, click Secure access (Figure 10-110).
Click the Default/Direct line and click Edit… (Figure 10-111).
Select Gateway Direct from the dropdown list and click OK (Figure 10-112).
Selecting Gateway Direct will send to the client the external Public IP address of the Secure Gateway/Web Interface server instead of the internal Private IP address of the XenApp server hosting the published application.
Click Next (Figure 10-113).
Enter the FQDN that users will use to access the Secure Gateway/Web Interface server and click Next (Figure 10-114).
Click Add… (Figure 10-115).
Type in http://citrixone/scripts/ctxsta.dll and click OK (Figure 10-116).
Click Finish (Figure 10-117).
Test Access to Published Applications Through Citrix Secure Gateway
From a computer that is external to your network, go to https://FQDN. For me, this is https://citrix.websterslab.com (Figure 10-118). Notice the SSL padlock appears.
Log in to the Web Interface and your published applications are shown (Figure 10-119).
Test running your published applications to verify they run successfully.
To verify the connection is using 256-bit SSL, right-click the Citrix Connection Center icon in the systray and select Open Connection Center (Figure 10-120).
Click the XenApp server and click Properties (Figure 10-121).
The Client Connection Status dialog shows that 256-bit SSL is in use (Figure 10-122).
Exit the Client Connection Center, your published application, log off the Web Interface site and exit your Internet browser.
Repeat the tests from inside your network.
Create Part 10 Snapshot
To create the Snapshot for this Part, right-click the VM and select Take Snapshot… (Figure 10-123).
- Enter a Name,
- Optionally enter a Description,
- Select Quiesce the VM before taking the snapshot, and then
- Click Take Snapshot (Figure 10-124).
Click on the Snapshots tab to see the Snapshot (Figure 10-125).
Click the Console tab to return to the Windows desktop.
Note: On my computer, there are video anomalies when switching from the Snapshot tab to the Console tab. The only way to resolve this issue is to reinstall XenTools after every snapshot is complete.
You have now successfully tested secure access to published application from both inside and outside your network.
In this Part, you learned to install and configure Citrix Secure Gateway 3.2 and test both external and internal secure access to published applications. In Part 11, you will learn to create and configure a XenApp Services Site.