Product Documentation

Deploying the Secure Gateway in a Single-Hop DMZ

May 08, 2015

In a single-hop deployment, users can connect to the enterprise network in two ways. The first is where the Secure Gateway intercepts the client connection and routes it to the Web Interface. After logging on and authenticating user credentials, the Secure Gateway handles the connection. Alternatively, users can be directed to the Web Interface first, where they log on and then the connection is handled by the Secure Gateway. The first scenario is referred to as “behind the Secure Gateway.” The second scenario is referred to as “parallel to the Secure Gateway.”

Certificate Requirements for a Single-Hop DMZ Deployment

If the Secure Gateway is in the DMZ, servers and clients need the following certificates:

  • Root certificates on all user devices that connect to the server running the Secure Gateway.
  • Root certificates on every Secure Gateway component that connects to a secure server. For example, a root certificate must be present on the server running the Secure Gateway to verify the server certificate installed on the server running the STA.
  • A server certificate on the server running the Secure Gateway.
  • Optional. A server certificate on the servers running the STA. The STA is installed by default when you install Citrix XenApp.

All Secure Gateway components support the use of digital certificates. Citrix recommends that the communication links between the Secure Gateway and other servers in the DMZ or secure network be encrypted.

Deployment Scenario A: Secure Gateway in a Single-Hop DMZ

WXYCo Inc. is an audit firm that recently purchased licenses for Citrix XenApp.

The company’s employees are financial auditors who visit client sites and conduct financial audits. They use a proprietary, client-server auditing software application, AuditorX. They publish AuditorX on computers running Citrix XenApp. They also deploy the Web Interface for Web access to their published resources. Employees can access AuditorX and other published resources through a Web browser on a user device connected to the LAN.

WXYCo realizes installing the Secure Gateway allows them to provide secure Internet access to published resources on its server farms. Because the workforce is largely mobile, use of the Internet to connect to the enterprise network is expected to reduce remote access costs dramatically.

A secure server farm using a single-hop DMZ.

This figure illustrates a secure enterprise network separated from the Internet by a single-hop DMZ. The enterprise network contains a server farm including one server running Citrix XenApp with the Secure Ticket Authority (STA). The firewall separating the secure network from the DMZ has ports 80, 443, and 1494 open. If session reliability is enabled, port 2598 is open on the internal firewall.

The DMZ contains a single server running the Secure Gateway, and the Web Interface. Traffic to the Web Interface is proxied through the Secure Gateway which communicates with the Web Interface using HTTP.

The DMZ is separated from the Internet by a firewall that has port 443 open. The mobile workforce carries notebook PCs running a 32-bit Windows operating system, Internet Explorer 5.5, and the Citrix online plug-in for 32-bit Windows.

The security analyst recommends securing the communication link between the Secure Gateway and the STA. To do this, the company purchased two server certificates from a commercial certificate authority (CA). The server running the Secure Gateway and the Web Interface have root and server certificates installed. The server running Citrix XenApp has a server certificate installed. For more information about certificates, see Digital Certificates and the Secure Gateway.

Running the Web Interface behind the Secure Gateway in the Demilitarized Zone

In a single-hop DMZ deployment scenario, all incoming traffic is intercepted by the Secure Gateway. The Web Interface can be installed on the same server as Secure Gateway or on a separate server. All data exchanged between user devices and the Web Interface is relayed through the Secure Gateway.

The firewall facing the Internet has port 443 open. Users connect to the Secure Gateway using a URL such as https://Secure Gateway FQDN/, where Secure Gateway FQDN is the fully qualified domain name for the server running the Secure Gateway.


Advantages A single server certificate is required on the server running the Secure Gateway and the Web Interface.
  A single port, 443, must be opened on the firewall facing the Internet.
  The Web Interface cannot be contacted directly from the Internet and is more secure.
Disadvantages Deploying the Secure Gateway in this configuration affects Web Interface functionality. When you deploy the Secure Gateway in this configuration, you lose some of the features available with the Web Interface, including the following:
  Smart Card Authentication. The Secure Gateway negotiates the SSL handshake and terminates the SSL connection before forwarding the client connection request to the Web Interface. Smart card authentication integrated with the Web Interface is unavailable because the Secure Gateway terminates the SSL connection before it reaches the Web Interface.
  Firewall and Proxy Settings Requiring Knowledge of the Client IP Address Are Ineffective. All communication from the user device to the Web Interface is proxied through the Secure Gateway. As a result, all client communications to the Web Interface originate from the IP address of the server running the Secure Gateway. Though you can still configure firewall and proxy settings on the Web Interface for specific client address prefixes, these settings must allow all client communications through the Secure Gateway to have the Web Interface IP address. You will not be able to distinguish between different user devices connecting through the Secure Gateway.

Citrix recommends deploying the Secure Gateway in this configuration if your network is small to medium sized, with a usage profile of hundreds of users. This type of deployment is optimal when users are connecting over the Internet to the Secure Gateway.

If any of the limitations described above are a concern and you have a sizeable user base accessing the Secure Gateway over the LAN, consider deploying the Web Interface in the configuration described in Running the Web Interface Parallel with the Secure Gateway.

Locking Down Internet Information Services

All traffic to the server running the Web Interface is proxied through the server running the Secure Gateway. Lock down Internet Information Services (IIS) to allow only the Secure Gateway to communicate with the Web Interface.

For instructions about configuring IIS to explicitly grant or deny access to applications or web sites, refer to the IIS documentation that ships with your version of Microsoft Windows Server.

Running the Web Interface Parallel with the Secure Gateway

In this configuration, the Secure Gateway and the Web Interface are installed on separate servers. Users can connect directly to the Web Interface.

Users connect directly to the Web Interface, using a URL such as https://Web Interface FQDN/citrix/AccessPlatform or https://Web Interface FQDN/citrix/XenApp, where Web Interface FQDN is the fully qualified domain name for the server running the Web Interface.

Citrix recommends securing both servers by installing a server certificate on each server running the Secure Gateway and the Web Interface. Open port 443 on the firewall facing the Internet.

You want to use the features available with the Web Interface, including smart card authentication and firewall and proxy settings that depend on knowing the client IP address.

Setting Up and Testing a Server Farm

Complete the following tasks prior to installing and configuring the Secure Gateway.

  • Install and configure a server farm in the enterprise network.
  • Install, configure, and publish applications on the server farm.
  • Connect to the server farm using a user device and ensure you can access available published resources.

See the Citrix XenApp installation and administration topics for detailed instructions about performing these tasks.