Product Documentation

Sample Deployment with Single Sign-on and Secure Gateway (Single-Hop)

May 18, 2015

This deployment uses Citrix Single sign-on and Secure Gateway in a single-hop configuration to enable single sign-on and TLS/SSL encryption between a secure Internet gateway server and an SSL-enabled plug-in, combined with encryption of the HTTP communication between the Web browser and the Web server. Additionally, you can secure ICA traffic within the internal network using IPSec.

See the Citrix Single sign-on documentation for further information about the Citrix Single sign-on components in this deployment.

This diagram shows sample deployment E, which uses Citrix Single sign-on and Secure Gateway.


Note: The Citrix Single sign-on central store is hosted on two servers (primary and secondary), both running Active Directory. The secondary server is only used to provide failover for the primary server.

The following table lists the components of the deployment and the operating systems required for the servers and client devices.

  Components Operating systems
XenApp farm

XenApp 6.0 for Microsoft Windows Server 2008

SSL Relay not enabled

Secure Ticket Authority installed on XenApp server

Citrix Single sign-on 4.8 plug-in

Windows Server 2008 R2

Java 1.4.x or later

Citrix Single sign-on Service Citrix Single sign-on 4.8 Service

Windows Server 2008 R2

Windows Server 2008 (32-bit)

Windows Server 2003 with Service Pack 2 (32-bit)

Windows Server 2003 R2 (32-bit)

.NET Framework 2.0

Citrix Single sign-on central store Citrix Single sign-on 4.8 central store

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003 with Service Pack 2

Web server Web Interface 5.3 for Internet Information Services

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003 with Service Pack 2

.NET Framework 3.5 or 2.0 (IIS 6.0 only)

Visual J#.NET 2.0 Second Edition

Secure Gateway server Secure Gateway 3.2 for Windows

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003 with Service Pack 2

User devices

Citrix online plug-in for Windows 12.x

TLS-enabled Web browser

Windows 7

Windows Vista

Windows XP Professional

How the Components Interact

Use TLS to secure the connections between client devices and Secure Gateway. To do this, deploy TLS/SSL-enabled plug-ins and configure Secure Gateway at the network perimeter, typically in a demilitarized zone (DMZ). Secure the connections between users’ Web browsers and the Web Interface using HTTPS.

Additionally, use TLS to secure communication between the Web Interface and the XenApp server farm, and between the farm and the Single sign-on central store and Single sign-on service.

In this deployment, Secure Gateway removes the need to publish the address of every XenApp server in the farm and provides a single point of encryption and access to the farm. Secure Gateway does this by providing a gateway that is separate from the XenApp servers and reduces the issues for firewall traversal to a widely accepted port for ICA traffic in and out of the firewalls.

Set against the increased scalability of sample deployment E is the fact that ICA communication is encrypted only between client devices and Secure Gateway. ICA communication between Secure Gateway and the XenApp servers is not encrypted.

To comply with FIPS 140, secure the communication between Secure Gateway and the server farm using IPSec.

This diagram shows a detailed view of sample deployment E.


Security Considerations for This Deployment

IPSec

To enable IPSec to secure communication between Secure Gateway and the XenApp server farm, you must configure IPSec on each server, including the Secure Gateway server.

IPSec is configured using the local security settings (IP security policies) for each server. In sample deployment E, IPSec is enabled on the requisite servers and the security method is configured for 3DES encryption and SHA-1 integrity to meet FIPS 140 requirements.

FIPS 140

In this deployment, the SSL Relay uses the Microsoft cryptographic service providers and associated cryptographic algorithms available in the Microsoft Windows CryptoAPI to encrypt and decrypt communication between client devices and servers. For more information about the FIPS 140 validation of the CSPs, see the Microsoft documentation.

For Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003, TLS/SSL support and the supported ciphersuites can also be controlled using the following Microsoft security option:

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

For more information, see the documentation for your operating system.

TLS/SSL Support

In this deployment, you can configure Secure Gateway and the Web Interface to use the Transport Layer Security 1.0 protocol.

Supported Ciphersuites

In this deployment, Secure Gateway and the Web Interface can be configured to use government-approved cryptography, such as the ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, to protect “sensitive but unclassified” data.

Alternatively, for TLS connections, you can use AES as defined in FIPS 197. The government ciphersuites are RSA_WITH_AES_128_CBC_SHA for 128-bit keys and RSA_WITH_AES_256_CBC_SHA for 256-bit keys. As defined in Internet RFC 3268 http://www.ietf.org/rfc/rfc3268.txt, these ciphersuites use RSA key exchange and AES encryption. For more information about AES, see http://csrc.nist.gov.

Certificates and Certificate Authorities

Citrix products use standard Public Key Infrastructure (PKI) as a framework and trust infrastructure. In sample deployment E, one server certificate is configured on Secure Gateway and one on the Web Interface. A certificate is also configured on each XenApp server and on the server running the Password Manager service.

Smart Card Support

In this deployment, you can configure XenApp to provide smart card authentication. To do this, you must configure authentication with Microsoft Active Directory and use the Microsoft Certificate Authority.

Plug-ins

In this deployment, users access their applications using the Citrix plug-in. For more information about the security features and capabilities of Citrix plug-ins, see Receiver and Plug-in Security.