Product Documentation

Sample Deployment with Secure Gateway (Single Hop)

Sep 15, 2015

This deployment uses the Secure Gateway in a single-hop configuration to provide SSL/TLS encryption between a secure Internet gateway server and an SSL-enabled plug-in. Encrypted communication between a web browser and the web server uses the secure protocol HTTPS. Additionally, you can secure ICA traffic within the internal network by using IPSec.

This diagram shows deploying the Secure Gateway in a single-hop configuration.


The following table lists the components of the deployment and the operating systems required for the servers and user devices.

  Components Operating systems
XenApp farm

XenApp 6.5 for Microsoft Windows Server 2008 R2

SSL Relay enabled

Secure Ticket Authority installed on XenApp server

Windows Server 2008 R2

Web server Web Interface 5.4 for Internet Information Services

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003 with Service Pack 2

.NET Framework 3.5 or 2.0 (IIS 6.0 only)

Visual J#.NET 2.0 Second Edition

Secure Gateway server Secure Gateway 3.3 for Windows

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003 with Service Pack 2

User devices

Citrix Receiver for Windows 3.0

TLS-enabled Web browser

Windows 7

Windows Vista

Windows XP Professional

How the Components Interact

Use TLS to secure the connections between user devices and the Secure Gateway. To do this, deploy SSL/TLS-enabled plug-ins and configure the Secure Gateway at the network perimeter, typically in a demilitarized zone (DMZ).

You ca secure the connections between users’ seb browsers and the Web Interface by using the secure protocol HTTPS. Additionally, secure communication between the Web Interface and the XenApp servers using TLS.

This diagram shows a detailed view of this deployment.


In this deployment, the Secure Gateway removes the need to publish the address of every XenApp server in the farm and provides a single point of encryption and access to the farm. The Secure Gateway does this by providing a gateway that is separate from the XenApp servers and reduces the issues for firewall traversal to a widely-accepted port for ICA traffic in and out of the firewalls.

While this deployment is highly scalable, the trade-off is that ICA communication is encrypted only between user devices and the Secure Gateway, not between the Secure Gateway and the XenApp servers.

Note: The SSL Relay In this deployment is used to encrypt communication between the Web Interface and the XML Service running on the XenApp servers. The Secure Gateway communicates with the XenApp servers directly, so the SSL Relay is not used for communication between the Secure Gateway and the server farm.

You can secure the communication between the Secure Gateway and the server farm using IPSec, as shown in this deployment.

This diagram shows a detailed view of this deployment, which includes IPSec.


Security Considerations for This Deployment

IPSec

To enable IPSec to secure communication between Secure Gateway and the XenApp server farm, you must configure IPSec on each server, including the Secure Gateway server.

IPSec is configured using the local security settings (IP security policies) for each server. In this deployment, IPSec is enabled on the requisite servers and the security method is configured for Triple DES encryption and SHA-1 integrity to meet FIPS 140 requirements.

FIPS 140 Validation

In this deployment, the SSL Relay uses the Microsoft cryptographic service providers (CSPs) and associated cryptographic algorithms available in the Microsoft Windows CryptoAPI to encrypt and decrypt communication between user devices and servers. For more information about the FIPS 140 validation of the CSPs, see the Microsoft documentation.

SSL/TLS support and the supported ciphersuites can also be controlled using the Microsoft security option System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing for the following configurations:

XenApp farm Operating System
XenApp 6.5 Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2
XenApp 6.0 Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2
XenApp 5.0 Windows Server 2008, Windows Server 2003

For more information, see the documentation for your operating system.

SSL/TLS Support

You can configure Secure Gateway and the Web Interface to use either the Transport Layer Security 1.0 protocol or the Secure Sockets Layer 3.0 protocol. In this deployment, the components are configured for TLS.

Supported Ciphersuites for Sample Deployment B

In this deployment, Secure Gateway and the Web Interface can be configured to use government-approved cryptography, such as the ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, to protect “sensitive but unclassified” data.

For TLS connections, you can choose other Government Ciphersuites that employ RSA key exchange and the Advanced Encryption Standard (AES).

Certificates and Certificate Authorities

Citrix products use standard Public Key Infrastructure (PKI) as a framework and trust infrastructure. In this deployment, one server certificate is configured on Secure Gateway and one on the Web Interface. A certificate is also configured on each XenApp server. A root certificate is required for each user device. For information on the root certificate source for your user devices, see Citrix Receiver and Plug-ins.

Smart Card Support

In this deployment, you can configure XenApp to provide smart card authentication. To do this, you must configure authentication with Microsoft Active Directory and use the Microsoft Certificate Authority.

Plug-ins Used

In this deployment, users access their applications using Citrix Receiver. For more information about the security features and capabilities of Citrix Receiver, see Citrix Receiver and Plug-ins.