Deploy a Citrix Gateway Connector instance on AWS - Tech Preview
Citrix Gateway Connectors can be deployed in AWS to provide secure VPN-less access to internal web applications hosted in AWS. Citrix Gateway Connectors deployed in AWS support all functions including all SSO types - Basic, Forms based, Kerberos, and SAML.
High-level steps to deploy the Citrix Gateway Connector instance on AWS.
- Create a key pair
- Create a Virtual Private Cloud (VPC)
- Add more subnets
- Create security groups and security rules
- Add route tables
- Create an internet gateway
- Create a Citrix Gateway Connector instance
- Connect to the Gateway Connector
Create a key pair
Amazon EC2 uses a key pair to encrypt and decrypt logon information. To log on to your instance, you must do the following:
- Create a key pair.
- Specify the name of the key pair when you launch the instance.
- Enter the private key when you connect to the instance.
When you review and launch an instance by using the AWS Launch Instance wizard, you are prompted to use an existing key pair or create a new key pair. For details on creating a key pair, see Amazon EC2 Key Pairs.
Create a virtual private cloud
A Citrix Gateway Connector instance is deployed inside an AWS VPC. A VPC allows you to define the virtual network dedicated to your AWS account. For more information on AWS VPC, see Getting Started With Amazon VPC.
While creating a VPC for your Citrix Gateway Connector instance, note the following:
- Use the VPC with a VPC with public and private subnets option to create an AWS VPC in an AWS availability zone.
- Citrix recommends having the Bastion VM (Jump Box) in the public subnet and the Citrix Gateway Connector VM in the private subnet.
- Access the Citrix Gateway Connector from the Bastion VM.
- All subnets must be in the same availability zone.
Add more subnets
When you used the VPC wizard, only two subnets (Public and Private) were created. Depending on your requirement, you might want to create more subnets. For more information about how to create more subnets, see Adding a Subnet to Your VPC.
Create security groups and security rules
To control inbound and outbound traffic, create security groups and add rules to the groups. For more information about how to create groups and add rules, see Security Groups for Your VPC.
To enable access to the Citrix Gateway Connector, open port 22 and 8443 must on the security group for SSH and HTTPS respectively.
Add route tables
Route table contains a set of rules, called routes, that are used to determine where the network traffic is directed. Each subnet in your VPC must be associated with a route table. For more information about how to create a route table, see Route Tables.
Create an internet gateway
Create an internet gateway for internet traffic flow in your public subnet and add it to the corresponding route table for the private subnet.
Create an NAT gateway for internet traffic flow in your private subnet and add it to the corresponding route table for the private subnet.
For more information about how to create an Internet Gateway, see Attaching an Internet Gateway.
Create a Citrix Gateway Connector instance
To create a Citrix Gateway Connector instance by using the AWS EC2 service, complete the following steps.
- Search for the AMI ID shared with you by Citrix.
- Navigate to EC2 from main menu.
- Click AMI and search for the AMI ID in Private Images.
For technical preview, the Citrix Gateway Connector image is not available in AWS Marketplace. Contact Citrix to get access to the AMI.
Launch Instance Type - Choose instance type that has more than 2 vCPUs, 4 GB RAM minimum.
Configure an instance - Configure the Instance VPC, subnet, and network.
Add storage- Configure the storage device setting. The storage must be a minimum of 20 GB.
Add tags - Add tags to the VM.
Configure the security group - Configure the inbound and outbound firewall rules. You can create a security group or select an existing group to configure the rules.
- TCP Port 22 to SSH
- TCP 8443 to access dashboard
- All traffic
For more details, see System requirements.
Review the settings - Review your instance launch details and edit the details if necessary.
- Click Launch.
- Select and existing key pair or create a new key pair.
- Click Launch Instances.
- Select the Key Pair - Select the created key pair for the Citrix Gateway Connector.
Connect to Citrix Gateway Connector
From the AWS management console, select the Citrix Gateway Connector instance and click Connect. Follow the instructions on the Connect to Your Instance page.
You must be able to SSH to the Gateway Connector VM from the Bastion VM.
ssh -i <pem file> administrator@<ip_address>
To access GUI in browser from the Bastion VM use;
User name: administrator
The default password is administrator and you are prompted to change the password after the first time you log on.