To provide secure access to applications and desktops for external users, an on-premises Citrix ADC VPX or MPX appliance is required. Using smart cards with Citrix Gateway is a common access scenario for Citrix Cloud Government customers. This article describes Citrix recommendations for using smart cards with Citrix Gateway.
Create a primary Gateway virtual server for authenticating users. Select the Client Authentication setting and set it to Mandatory. The Mandatory option enforces the need for smart cards by disallowing any SSL handshake that doesn’t include a client certificate.
Create a secondary Gateway virtual server that only handles ICA proxy. This Gateway is not configured to prompt for Client Authentication, so the SSL ICA connection doesn’t prompt the user again for a PIN. In StoreFront, use this virtual server to route connections to resources. This allows users to log on to the primary Gateway, which handles the initial authentication, and access resources through the secondary Gateway.
Create a third Gateway virtual server to provide the callback URL for StoreFront. Only StoreFront uses this Gateway to verify requests from the Gateway appliance and doesn’t need to be publicly accessible. This virtual server is required when client certificate authentication is mandatory because StoreFront can’t present a certificate to authenticate.
For more information about creating Citrix Gateway virtual servers, see Creating Virtual Servers.
For more information about configuring smart card authentication in StoreFront, see Configure smart card authentication.