Product Documentation

Certificate Requirements

Jul 22, 2010

All user devices and secure servers in a Secure Gateway deployment use digital certificates to verify each other’s identity and authenticity.

The Secure Gateway supports the use of digital certificates. As the security administrator, you need to decide whether or not the communication links between the Secure Gateway and other servers in the DMZ or secure network need to be encrypted. See Digital Certificates and the Secure Gateway.

Important: If you purchased server certificates from a commercial certificate authority (CA), support for root certificates for most commercial CAs is built into Internet Explorer and Windows server products. If you obtained server certificates from a private CA or commercial CA whose root certificates are not, by default, supported by the Windows operating system, you must install matching root certificates on all user devices and servers connecting to secure servers.

Certificate Requirements for a Single-Hop DMZ

If your secure network contains Citrix XenApp with the Secure Gateway in the DMZ, servers and clients need the following certificates:

  • Root certificates on all user devices that connect to the server running the Secure Gateway.
  • Root certificates on every Secure Gateway component that connects to a secure server. For example, a root certificate must be present on the server running the Secure Gateway to verify the server certificate installed on the server running the STA.
  • A server certificate on the server running the Secure Gateway.
  • Optional. A server certificate on the servers running the STA. The STA is installed by default when you install Citrix XenApp.

All Secure Gateway components support the use of digital certificates. Citrix recommends that the communication links between the Secure Gateway and other servers in the DMZ or secure network be encrypted.

Certificate Requirements for a Double-Hop DMZ

If your secure network contains Citrix XenApp with the Secure Gateway in the first DMZ, and the Secure Gateway Proxy and the Web Interface in the second DMZ, servers and clients require the following certificates:

  • Root certificates on all user devices connecting to the server running the Secure Gateway.
  • Root certificates on every Secure Gateway server that connects to a secure server or Web server. For example, an appropriate root certificate must be present on the server running the Secure Gateway to verify the server certificate installed on the Citrix XenApp server.
  • A server certificate on the server running the Secure Gateway.
  • Optional. A server certificate on the server(s) running the Secure Gateway Proxy.
  • Optional. A server certificate on the server running the STA.