Use NetScaler Gateway with StoreFront to provide secure remote access for users outside the corporate network and NetScaler to provide load balancing.
Integrating StoreFront with NetScaler Gateway and NetScaler requires a plan for gateway and server certificate usage. Consider which Citrix components are going to require server certificate(s) within your deployment:
- Plan to obtain certificates for Internet-facing servers and gateways from external certificate authorities. Client devices may not automatically trust certificates signed by an internal certificate authority.
- Plan for both external and internal server names. Many organizations have separate namespaces for internal and external use - such as example.com (external) and example.net (internal). A single certificate can contain both of these kinds of name by using the Subject Alternative Name (SAN) extension. This is not normally recommended. A public certificate authority will only issue a certificate if the top-level domain (TLD) is registered with IANA. In this case, some commonly used internal server names (such as example.local) cannot be used, and separate certificates for external and internal names are required anyway.
- Use separate certificates for external and internal servers, where possible. A gateway may support multiple certificates, either by binding a different certificate to each interface.
- Avoid sharing certificates between Internet-facing and non-Internet-facing servers. These certificates are likely to be different - with different validity periods and different revocation policies than certificates issued by your internal certificate authorities.
- Share "wildcard" certificates only between equivalent services. Avoid sharing a certificate between different types of server (for example StoreFront servers, and other kinds of servers). Avoid sharing a certificate between servers which are under different administrative control, or which have different security policies. Typical examples of servers which provided equivalent service are:
- A group of StoreFront servers and the server that performs load balancing between them.
- A group of Internet-facing gateways within GSLB.
- A group of XenApp and XenDesktop 7.x controllers, which provide equivalent resources.
- Plan for hardware-secured private key storage. Gateways and servers, including some NetScaler models, can store the private key securely within a hardware security module (HSM) or Trusted Platform Module (TPM). For security reasons, these configurations are not usually intended to support sharing of certificates and their private keys, Consult the documentation for the component. If implementing GSLB with NetScaler Gateway, this may require each gateway within GSLB to have an identical certificate, which contains all the FQDNs you wish to use.
For more information about securing your Citrix deployment, see the white paper End-To-End Encryption with XenApp and XenDesktop and the XenApp and XenDesktop Secure section.