Product Documentation

Migrating from the Secure Gateway to NetScaler Gateway

Jul 15, 2013

This topic discusses how to prepare to migrate from the Secure Gateway to NetScaler Gateway, and the two migration options you can choose: In-place migration or parallel migration.

Preparing to Migrate

Before migrating from the Secure Gateway to NetScaler Gateway, consider the following:

  • Make sure that user devices meet system requirements. For more information about system requirements, see the appropriate guide for the Citrix online plug-in.
  • Make sure port 443, the default security port on the firewall is open between the Internet and NetScaler Gateway. This requirement is identical in a Secure Gateway deployment.
  • Install NetScaler Gateway. For details, see the installation instructions for your NetScaler Gateway appliance.
  • Acquire and install the appropriate certificates on NetScaler Gateway. These include:
    • Server certificate for NetScaler Gateway
    • Root certificates for NetScaler Gateway, Secure Ticket Authority (STA), and user devices
  • Configure the networks that users can connect to through NetScaler Gateway.

Migrating Options

You can choose from the following two options for migrating from the Secure Gateway to NetScaler Gateway:

  • In-place migration, in which you transfer the certificate and fully qualified domain name (FQDN) on the Secure Gateway to NetScaler Gateway
  • Parallel migration, in which you obtain a new signed certificate and FQDN for NetScaler Gateway

Each option is valid; however, the in-place migration has the potential to temporarily disrupt access to internal resources when compared with a new installation.

After the migration is complete, users can log on with their current credentials and do not have to perform any configuration to their device. Each option requires minimal user support.

Performing an In-Place Migration

When you choose an in-place migration from the Secure Gateway to NetScaler Gateway, you export the Secure Gateway certificate, upload it to NetScaler Gateway and bind it to a virtual server.

The certificate must be in PEM format before you can install it on NetScaler Gateway. If you are unfamiliar with the process of converting certificates, Citrix recommends a new installation of NetScaler Gateway and the use of a new certificate.
Important: If you are transferring a certificate from the Secure Gateway to Access Gateway Enterprise Edition, the FQDN of the certificate installed on the virtual server must match the FQDN of the Secure Gateway. With this option, you cannot take a phased approach because two identical FQDNs cannot reside on the same network.

An in-place migration is identical to a new installation of NetScaler Gateway, except for the following items:

  • You use the Secure Gateway certificate on NetScaler Gateway
  • The FQDN on the NetScaler Gateway certificate must match the FQDN of the Secure Gateway

Although in-place migration results in the least amount of user support (users do not need to be notified of a new Web address), if any mistakes are made in the configuration of the NetScaler Gateway that were not identified by proper testing procedures, all of your users are directly impacted. Mistakes could prevent users from logging on or connecting to published applications or desktops in the server farm.

Performing a Parallel Migration

Citrix recommends as a best practice that you run Secure Gateway parallel to NetScaler Gateway until all users are properly migrated to the appliance. To perform a parallel migration, you need to do the following:

  • Obtain a new FQDN and certificate.
  • Provide users with a new Web address for accessing resources to users.
  • Provide users with a date when they will start using NetScaler Gateway.

A parallel migration gives you a greater level of control over configuration. You can undertake a phased migration approach, rather than transferring all users at one time as you would do during an in-place migration. You can migrate users to NetScaler Gateway in groups, thereby preventing downtime for connections.

Performing a parallel migration is identical to a new installation of NetScaler Gateway. You follow the steps to install the appliance, licenses, and certificates, in addition to configuring authentication and other settings on the appliance. Users continue to connect to the Secure Gateway until configuration of NetScaler Gateway is complete. The Secure Gateway runs parallel to NetScalter Gateway until you migrate all users successfully to the new environment. This option requires you to purchase or generate a new server certificate. A significant benefit, however, is that users do not experience a disruption in their access to internal resources.

To perform a parallel migration to NetScaler Gateway, complete the following steps:

  1. Install NetScaler Gateway.

    This step configures the basic TCP/IP settings for NetScaler Gateway.

  2. Configure the STA settings on NetScaler Gateway to connect to resources on computers running XenApp.
    Note: You can add more than one server running the STA to the list. The list of servers must be identical to the servers configured for the Web Interface.
  3. Install a server certificate on NetScaler Gateway to secure client connections.
    Note: To use names that you can resolve for the STA and Web Interface, configure your Domain Name System (DNS) servers.
  4. Configure the settings in the Web Interface for user access.
  5. Remove the Web Interface from the DMZ and place it in the secure network.
    Note: You can also remove the server running the Secure Gateway from the DMZ and the server can be repurposed for another role.
  6. After NetScaler Gateway is installed in your network, create a test user on NetScaler Gateway to test the connection.

If you have configured single sign-on to the Web Interface, users are logged on automatically and have access to published applications and desktops. If not, users log on to the Web Interface and can then can access their published applications or desktops.