Product Documentation

Configuring the Secure Gateway or Secure Gateway Proxy

Sep 15, 2015

The Secure Gateway Configuration or Secure Gateway Proxy Configuration wizard automatically starts when the installation is complete. The wizard guides you through configuration tasks and provides context-sensitive help describing the procedures and information you need to enter.

Configuring the Secure Gateway for use with Citrix XenApp requires the following information:

  • The FQDN and path of the server running the STA
  • The FQDN and path of the server running the Web Interface

To start the configuration wizard manually

If you need to start the configuration wizard manually (for instance, to change the configuration at any time after initial installation and configuration), perform the following steps.

  1. Log on as an administrator to the computer running the Secure Gateway.
  2. Open the wizard by clicking Start and locating the Secure Gateway Management Console.
  3. In the Secure Gateway Management Console menu, click Action > All Tasks and select Stop to stop the Secure Gateway Service.
  4. From the Start button, locate and click Secure Gateway Configuration Wizard or Secure Gateway Proxy Configuration Wizard.

To select a configuration level for Secure Gateway

To specify a configuration level for Secure Gateway, select one of the following to access the parameters available for modification during the configuration process:

  • Standard

    Includes only the minimum set of parameters required to configure the Secure Gateway. The Secure Gateway Configuration wizard sets all remaining parameters to their default values, respectively.

  • Advanced

    Includes all of the Secure Gateway’s configurable parameters, for example, supported secure protocols and logging exclusions.

To select a configuration level for the Secure Gateway Proxy

  1. Select one of the following to access the parameters available for modification during the configuration process:
    • Standard

      Includes only the minimum set of parameters required to configure the Secure Gateway Proxy. The Secure Gateway Proxy Configuration wizard sets all remaining parameters to their default values, respectively.

    • Advanced

      Includes all of the Secure Gateway Proxy’s configurable parameters, for example, supported secure protocols and logging exclusions.

  2. Select the Secure traffic between the Secure Gateway and Secure Gateway Proxy option to secure communications between the Secure Gateway and the Secure Gateway Proxy servers using SSL or TLS

    Select the Secure traffic between the Secure Gateway and Secure Gateway Proxy option to secure communications between the Secure Gateway and the Secure Gateway Proxy servers using SSL or TLS

    • Install a server certificate on the server running the Secure Gateway Proxy
    • Install a client certificate on the Secure Gateway

Task Summary for Secure Gateway, Advanced or Standard Configuration

The task summary when selecting the advanced or standard configuration type is as follows:

Tasks Advanced Configuration Selected Standard Configuration Selected
To select a server certificate X X
To configure secure protocol settings X Not available
To configure inbound client connections X X
To configure outbound connections X X
To add the Secure Ticket Authority details X X
To configure connection parameters X Not available
To configure logging exclusions X Not available
To add the Web Interface server details X X
To configure the logging parameters X X

Task Summary for Secure Gateway Proxy, Advanced or Standard Configuration

The task summary when selecting the advanced or standard configuration type is as follows:

Tasks Advanced Configuration Selected Standard Configuration Selected
To select a server certificate X X
To configure secure protocol settings X Not available
To configure inbound client connections X X
To configure outbound connections X X
To add the Secure Ticket Authority details Not available Not available
To configure connection parameters X Not available
To configure logging exclusions X Not available
To configure the logging parameters X X

To select a server certificate

Server certificates enable user devices to verify the identity of the server running the Secure Gateway.

Note: This option is not displayed when you are installing the Secure Gateway Proxy and you select the Secure traffic between the Secure Gateway and Secure Gateway Proxy option.
  1. Select a valid server certificate installed on the computer running Secure Gateway or Secure Gateway Proxy from the Certificates Found menu.
  2. Click View to display the details of the selected certificate.

To configure secure protocol settings

This configuration dialog appears if you selected Advanced for the Secure Gateway’s configuration level. Select the secure protocol and cipher suite used to secure the data transmitted between the Secure Gateway and the user device or Secure Gateway Proxy.

Note: When deployed in proxy mode, the Secure Gateway Proxy’s client is the Secure Gateway. However, when deployed in relay mode, the Secure Gateway Proxy’s client is Citrix Receiver for Windows or the Citrix online plug-in.
  1. Select a secure protocol:
    • Transport Layer Security (TLSv1)

      Configure the Secure Gateway to use only TLS as its secure protocol. If you select this option, verify that all user devices support and are configured to use TLS as well.

    • Secure Sockets Layer (SSLv3) and TLSv1

      Configure the Secure Gateway and Secure Gateway Proxy to use SSL and TLS as its secure protocols. This option is useful when deploying the Secure Gateway or Secure Gateway Proxy in an environment in which some clients support only SSL.

      Note: If a user device supports both the SSL and TLS protocols, TLS is used to secure the data transmitted between the Secure Gateway/Secure Gateway Proxy and the client.
  2. Select a cipher suite:
    • GOV

      You can configure the Secure Gateway/Secure Gateway Proxy to use the following government strength cipher suite: RSA_WITH_3DES_EDE_CBC_SHA or {0x00,0x0A}

    • COM

      You can configure the Secure Gateway/Secure Gateway Proxy to use the following commercial strength cipher suites: RSA_WITH_RC4_128_MD5 or {0x00,0x04}, RSA_WITH_RC4_128_SHA or {0x00,0x05}

    • ALL

      You can configure the Secure Gateway/Secure Gateway Proxy to use both the commercial and government strength cipher suites. This option is useful when deploying the Secure Gateway/Secure Gateway Proxy in an environment where some user devices support only COM while others support only GOV.

      Note: When the Secure Gateway and a user device support both COM and GOV cipher suites, the Secure Gateway uses the COM cipher suite.
  3. Click Next to proceed.

To configure inbound client connections

Specify the IP addresses and TCP ports that you want the Secure Gateway/Secure Gateway Proxy to monitor for incoming connections.

  1. Select each Monitor all IP addresses check box to configure the Secure Gateway to listen for connections on all available IPv4 or IPv6 addresses.

    This option is useful when configuring the Secure Gateway/Secure Gateway Proxy on a server using multiple network interface cards (NICs). When configured in proxy mode, the Secure Gateway Proxy listens on all available IP addresses for Secure Gateway connections. When configured for relay mode, the Secure Gateway Proxy listens on all available IP addresses for client connections.

  2. Type a listener TCP port number in the TCP Port field.

    This option is available only when the Monitor all IP addresses option is selected. The Secure Gateway/Secure Gateway Proxy listens for Secure Gateway or client connections on all available IP addresses using the port specified on the server. The default TCP port is 443.

  3. Clear the Monitor all IP addresses check boxes to configure the Secure Gateway/Secure Gateway Proxy to listen on one or more specific IP addresses. Then click Add to add one or more IP addresses and related TCP port address.

Typically, you would exclude dynamic IP addresses. When a dynamic IP address changes, new connections are not accepted on that address and the service can fail to start when the server is restarted.

To configure outbound connections

Select the servers to which the Secure Gateway can connect:

Options Description
No outbound traffic restrictions Select this option to enable the Secure Gateway/Secure Gateway Proxy to establish connections to any server within the DMZ or secure network. Click Next to continue.
Use the Secure Gateway Proxy This option is not available when configuring the Secure Gateway Proxy. Select this option when configuring the Secure Gateway in a double-hop environment. Select the Secure traffic between the Secure Gateway and the Secure Gateway Proxy check box to use HTTPS to secure communications between them.
Use an Access Control List (ACL) Select this option to create an access control list for the Secure Gateway/Secure Gateway Proxy. An access control list restricts the Secure Gateway/Secure Gateway Proxy to establishing connections to servers specified in the list. Click Configure to specify the start and end IP address range for allowed connections.
Note: In a double-hop DMZ, configure outbound access control lists on the Secure Gateway Proxy server only.

To configure servers running the Secure Gateway Proxy:

  1. From the Configure outbound connections dialog window, select Use the Secure Gateway Proxy radio button and click Configure.
  2. Click Add.
  3. Type the fully qualified domain name (FQDN) or IP addresses and TCP port of the Secure Gateway Proxy servers to which you want the Secure Gateway server to connect. The default TCP port for unsecured communications between the Secure Gateway and the Secure Gateway Proxy is 1080. The default TCP port for secure communications between the Secure Gateway and Secure Gateway Proxy is 443.
  4. Click OK.
  5. Select the Secure traffic between the Secure Gateway and Secure Gateway Proxy option to secure communications between the Secure Gateway and the Secure Gateway Proxy servers using SSL or TLS.

    When this option is not selected, the connection between the Secure Gateway and Secure Gateway Proxy is not secured. To secure traffic between the Secure Gateway and Secure Gateway Proxy you must also:

    • Install a server certificate on the server running the Secure Gateway Proxy
    • Install a client certificate on the Secure Gateway

To configure an access control list for outbound connections:

You do not need to include servers running the Secure Ticket Authority because these are configured elsewhere in the wizard.

  1. Select the Use an Access Control List (ACL) button, click Configure, and then click Add.
  2. If you select the IP Address Range option, type or select the following information:
    Option Description
    Start address Enter the IP address of a server that you want to add to the outbound access control list. When specifying an IP address range, enter the range’s start IP address. If you use an IP address range for multiple servers running XenApp, be sure that the servers you specify offer the full range of applications that you want to be available.
    End address Leave this field blank if you are creating an entry for a single server. Otherwise, enter the end address of the range.
    TCP port Enter the TCP port used by the server(s). To allow connections to any port on a server you can use the wild card asterisk character (*) in the TCP port field. You can use this wild card to allow one ACL entry for a range of IP addresses to permit connections using the ICA and Common Gateway Protocol (CGP) protocols.
    Use default port Select this option to use the default port used by the server for the protocol selected.
    ICA Select this option to allow ICA/SOCKS connections to the selected servers. Typically, you would use ICA for servers running Citrix XenApp that accept ICA/SOCKS connections. This option is not available to the Secure Gateway Proxy.
    CGP Select this option to allow CGP connections to the selected servers. Typically, you would use CGP for servers running Citrix XenApp that accept CGP connections. CGP can provide session reliability if you enable session reliability on the selected servers. To allow CGP as well as ICA/SOCKS connections to the same servers, add a separate entry for each protocol. This option is not available to the Secure Gateway Proxy.
  3. If you select the Server FQDN option, type or select the following information:
    Options Description
    FQDN Enter the fully qualified domain name of the server to which the Secure Gateway Proxy allows access.
    TCP port Enter the TCP port used by the server. To allow connections to any port on a server, you can use the wild card asterisk character (*) in the TCP port field.
    Secure traffic between the server and the Secure Gateway Proxy Select this option to secure communications between the server and the Secure Gateway Proxy servers using SSL or TLS. When this option is not selected, the connection is not secured.
  4. Click OK, then click Add to add another connection, or click OK to close the dialog box.

To add the Secure Ticket Authority details

You can configure the Secure Gateway to contact multiple STAs for failover protection. If you specify multiple STAs, be sure that this list matches the list of STAs that the Web Interface is configured to contact.

  1. Type or select the following information:
    Option Description
    FQDN Enter the fully qualified domain name of the server running the STA.
    Path This field is populated automatically with the default virtual directory path, /Scripts/CtxSTA.dll or CitrixAuthService/AuthService.asmx. If you changed the default path when you configured the Citrix XML Service to share a port with Internet Information Services on the server running Citrix XenApp, enter the correct path.
    ID This field is populated automatically by the Secure Gateway when it resolves the specified FQDN and reads the ID string from the server running the STA. If the Secure Gateway is unable to resolve the address specified you are prompted to enter the ID for the STA. The ID for the STA is a randomly generated string. You can view STA IDs by running the Secure Gateway diagnostic tool.
    Secure traffic between the STA and the Secure Gateway Select this option to secure communications between the Secure Gateway and the STA by using SSL or TLS. To enable this security feature, the FQDN of the STA must match the FQDN specified by its server certificate.
    TCP port Enter a network port number used by the Secure Gateway to contact the STA.
    Use default Select this option to use the default port assignment for the STA. The default TCP port for unsecured communications between the Secure Gateway and the STA is 80. The default TCP port for secure communications between the Secure Gateway and STA is 443.

To configure connection parameters

You can configure how connection requests time out. Preventing requests from timing out may be useful if your network has periods of high latency. However, uncompleted connection requests that do not time out, or time out slowly, can preempt additional connections through the Secure Gateway. The number of connections the Secure Gateway server can support depends on the server processor, usage, and limits set in the Concurrent Connection Limits section.

Select one of the following options:

Option Description
No connection timeout Select this option if you do not want to limit the time in which Secure Gateway must complete a connection request. Do not select this option if typical usage behavior can result in so many uncompleted connection requests that the server stops accepting connection requests.
Connection timeout (seconds) Set the interval of time in which the Secure Gateway can complete a connection request. If the connection is not established by the time the specified value elapses, then the connection times out. By default, the connection timeout value is configured for 100 seconds.
Concurrent Connection Limits This option is not available for the Secure Gateway Proxy. Set the following values using numbers suitable to your environment. Consider processor type and processor speed as well as typical usage behavior. Failure to do so may overload the processor and result in a poor quality of service for your end users.
  • Unlimited. Select this option to configure the Secure Gateway to support up to 1,920 concurrent client connections (250 connections are allocated to HTTP/S by default, leaving 1,670 ICA/CGP connections, including MAPI over CGP connections). The Secure Gateway stops accepting new connection requests if the number of concurrent client connections reaches 1,920. This setting overrides the value entered in Maximum connections.
  • Maximum Connections. Specify the maximum number of concurrent ICA/CGP connections supported by the Secure Gateway. The Secure Gateway stops accepting new ICA/CGP connection requests when the number of concurrent connections equals the value entered in this field.

To configure logging exclusions

Typically, third-party network devices such as load balancers generate extraneous Secure Gateway log information. For example, load balancers might poll the Secure Gateway repeatedly to ensure that the server is active. Each poll is recorded by the Secure Gateway as a connection, resulting in the event log containing several unnecessary entries.

The Secure Gateway and the Secure Gateway Proxy generate their own log files. Therefore, if you deployed the Secure Gateway in proxy mode, you must configure each component’s logging exclusions separately.

  1. Click Add to enter the IP address of a network device that you want the Secure Gateway to exclude from its logging operations.
  2. After typing the IP address, click OK.

To add the Web Interface server details

The Web Interface works with the Secure Gateway to provide a logon interface, and facilitates the authentication and authorization of connection requests to server farms.

Running the Secure Gateway and the Web Interface on a single server is supported only in a single-hop DMZ environment.

  1. Select one of the following access options:
    • Indirect

      To access the Web Interface, users enter the URL of the Secure Gateway. Users connect to the Secure Gateway, which routes the request to the Web Interface. If the Web Interface is installed on the same computer as the Secure Gateway, select the Installed on this computer check box (this option is not available in a double-hop environment).

      If you configure your firewall to permit connections to the Secure Gateway only, the Web Interface is not exposed to the Internet, which is preferable in some enterprises. Configuring indirect access can be economical if you deploy the Web Interface on the Secure Gateway server. In that case, all that is required is one SSL certificate, one public IP address, and one server.

    • Direct

      If you configure your firewall to permit connections to the Secure Gateway only, the Web Interface is not exposed to the Internet, which is preferable in some enterprises. Configuring indirect access can be economical if you deploy the Web Interface on the Secure Gateway server. In that case, all that is required is one SSL certificate, one public IP address, and one server.

  2. If you do not select the Installed on this computer check box, type or select the following information in the Details area:
    • FQDN

      Enter the fully qualified domain name of the server running the Web Interface. If you selected Installed on this computer, this field is automatically populated with the value localhost.

    • TCP port

      Enter the port number the Secure Gateway should use when communicating with the Web Interface.

  3. Select the Secure traffic between the Web Interface check box to configure the Secure Gateway to use HTTPS when communicating with the Web Interface.

To configure the logging parameters

  1. Specify the type of errors and events that the Secure Gateway/Secure Gateway Proxy writes to the event log and Event Viewer. The logging levels available include the following:
    • Fatal Events Only

      Fatal error messages are logged when an operational failure prevents the Secure Gateway Proxy from starting. Select this option to log only fatal events.

    • Error and Fatal Events

      Error messages are logged when a partial failure, such as the Secure Gateway Proxy being out of memory, occurs. Select this option to log errors and fatal events.

    • Warning, error, and fatal events

      Warning messages are logged when tickets time out, data packets are corrupted, and similar events occur. Select this option to log warnings, errors, and fatal events.

    • All events including informational

      All events are logged, including informational messages resulting from client connections. Select this option to log all events and errors. Selecting this option will result in the Event Viewer window and event log filling up rapidly.

  2. Click Next.

To complete the configuration

You must start or restart the Secure Gateway/Secure Gateway Proxy to use the new configuration settings. If the Secure Gateway/Secure Gateway Proxy is already running, restarting it disconnects all active sessions. To avoid disconnecting active user sessions, you can clear the Restart Secure Gateway Proxy check box.

  • Select Start the Secure Gateway or Start the Secure Gateway Proxy and click Finish.
    Note: If a client is connected to the Secure Gateway and the Secure Gateway is restarted, the Secure Gateway does not generate service stop and service start event log messages. If a client is not connected and the Secure Gateway is restarted, Secure Gateway does generate these messages.

To stop the Secure Gateway/Secure Gateway Proxy service

  1. Log on as an administrator to the Secure Gateway.
  2. From the Start button, locate and click Secure Gateway Management Console.
  3. In the Secure Gateway Management Console, on the Action menu, click All Tasks and click Stop.

To uninstall the Secure Gateway

  1. Exit any applications running on the server.
  2. Open theControl Panel and click Programs and Features.
  3. Select to uninstall Secure Gateway.