Product Documentation

Replacing the Secure Gateway with NetScaler Gateway

Jul 15, 2013

If you currently use the Secure Gateway to enable remote access to servers running Citrix XenApp or Citrix XenDesktop, you can replace the Secure Gateway with Citrix NetScaler Gateway.

One of the benefits of choosing the appliance-based NetScaler Gateway includes support for additional applications and protocols. The software-based Secure Gateway is limited to support traffic on computers running XenApp or XenDesktop. Therefore, organizations that use the Secure Gateway might also deploy a remote access solution for other types of internal resources, adding more expense and work for administrators.

NetScaler Gateway can handle your organization’s remote access needs by securing traffic to applications hosted by XenApp, desktops hosted by XenDesktop, as well as access to internal resources, such as email, internal Web applications, and network file shares. NetScaler Gateway, like the Secure Gateway, supports connections between Citrix online plug-ins, Desktop Receiver, and published resources in single-hop and double-hop DMZ deployments.

Note: When NetScaler Gateway is deployed in a double-hop DMZ, only connections between online plug-ins and published applications are supported. In this scenario, NetScaler Gateway does not support connections to additional internal resources by using the NetScaler Gateway Plug-in.
The benefits of replacing the Secure Gateway with NetScaler Gateway include:
  • Replacing one or two Windows servers in the DMZ.
  • Allowing for additional VPN functionality while maintaining the ability to access published applications and desktops.
  • Allowing a broad range of user devices to connect to published applications in the secure network using Citrix online plug-ins.

The following figure shows a Secure Gateway deployment with the Web Interface in the DMZ with connections to computers running XenApp.

Figure 1. Secure Gateway deployment
Displays an illustration of the Secure Gateway deployment with the Web Interface in the DMZ.

In this deployment, the Secure Gateway is running on a Windows server in the DMZ. The Web Interface is also deployed in the DMZ. XenApp or XenDesktop is running in the secure network. The Secure Ticket Authority (STA) is installed and configured automatically on XenApp and XenDesktop. If you have multiple servers running XenApp, you can receive ticketing information from the STA on one server and published applications or desktops from another server.

The following figure shows the NetScaler Gateway deployment in the DMZ with the Web Interface located in the secure network:

Figure 2. NetScaler Gateway deployment
Replacing Secure Gateway with NetScaler Gateway

When the Secure Gateway is removed from the DMZ and replaced with NetScaler Gateway, you have the option of moving the Web Interface to the secure network. NetScaler Gateway authenticates and authorizes users and then connects to the Web Interface. This scenario provides greater security because there are two fewer Windows servers in the DMZ.

Important: When the Web Interface is placed in the secure network, you must configure authentication and authorization on NetScaler Gateway.