In addition to describing the Secure Gateway and Secure Gateway Proxy
installation and configuration processes, this section also explains how to
move to the current version of Secure Gateway from an installed earlier
version. It also presents how to use a firewall with Secure Gateway and Secure
When Secure Gateway or Secure Gateway Proxy is installed on a supported
64-bit Windows operating systems, it installs in the 32-bit application
location by default.
Important: You must have access to administrative privileges to
install and configure the Secure Gateway and use the management tools. Disable
User Account Control (UAC) while installing and configuring the Secure Gateway
and Secure Gateway Proxy.
Note: If Secure Gateway or Secure Gateway Proxy is already installed,
disconnected all active sessions before reinstalling or reconfiguring it.
Otherwise, the Secure Gateway service might fail to restart.
Testing Your Deployment
After you complete installation and configuration of the Secure
Gateway, test your deployment to make sure it works and is accessible through
You can also run the Secure Gateway Diagnostics tool to find a
solution. This utility contacts all servers running the Secure Gateway
components and generates a report containing configuration and status
information for each component.
- Use a Web browser on a user device to connect to the Secure
Gateway; for example, https://www.gateway01.wzyco.com/Citrix/AccessPlatform/ or
https://Web Interface FQDN/Citrix/XenApp.
- Log on using domain credentials. After a brief interval, the
Applications page containing icons for published resources appears.
- Verify that you can launch published applications from this page.
Upgrading Secure Gateway or Secure Gateway Proxy
You can upgrade from these versions of Secure Gateway or Secure
- Secure Gateway or Secure Gateway Proxy 3.2
- Secure Gateway or Secure Gateway Proxy 3.1.4
- Secure Gateway or Secure Gateway Proxy 3.1.3
Perform a fresh installation to migrate from these versions of Secure
Gateway or Secure Gateway Proxy; upgrading is not supported:
- Secure Gateway or Secure Gateway Proxy 3.1
- Secure Gateway or Secure Gateway Proxy 3.0.x
- Secure Gateway or Secure Gateway Proxy 3.0
To perform a fresh installation:
- Remove any installed
Secure Gateway hotfix software packages.
- Remove the Secure Gateway
or Secure Gateway Proxy software.
- Install Secure Gateway or
Secure Gateway Proxy.
Using Firewall Software with the Secure Gateway or Secure Gateway
The firewall software included in your Microsoft Windows server
operating system (such as Windows Firewall with Advanced Security) where the
Secure Gateway or Secure Gateway Proxy is used might not automatically allow
access to required ports. Non-Microsoft firewall software might also disallow
port access by default.
Also, the Secure Gateway or Secure Gateway Proxy does not
automatically create an exception to allow access to the default SSL port 443,
the default Secure Gateway Proxy port 1080, or any port number you select when
configuring the software.
Manually add or allow access to these ports to any firewall software
you are using in your environment.
The Secure Gateway installer installs the Secure Gateway or the Secure
Gateway Proxy. When installation is complete, the Secure Gateway Configuration
wizard automatically starts so you can configure Secure Gateway.
The following steps outline the installation sequence of the Secure
- Install Citrix XenApp.
- Install root and server
certificates on the appropriate computers.
- If using a double-hop DMZ,
install the Secure Gateway Proxy in the second DMZ.
- If you are securing
communications between the Secure Gateway and the Secure Gateway Proxy, ensure
you install a server certificate on the server running the Secure Gateway
- Install the Secure Gateway
in the first, or only, DMZ.
Important: The Secure Gateway is designed to discover and
verify the existence of the other Citrix components during configuration. For
example, during configuration the Secure Gateway verifies that servers running
the Web Interface and the Secure Ticket Authority (STA), if used, are
functional. If a required component is not found, the Secure Gateway may fail
to start. Ensure that you follow the recommended installation sequence.
The installation sequence must be in this order:
- Always install components
within the secure network first.
- Optional. If your network
contains a double-hop DMZ, install components in the second DMZ segment next.
- Install components in the
first DMZ segment last.
Secure Gateway Configuration Wizard
The Secure Gateway Configuration wizard guides you through the process
of specifying configuration parameters for the Secure Gateway. Each dialog box
includes context-sensitive Help so that you can obtain additional information
specific to the parameters you are configuring. Click
Help within any dialog box to access the
You can access the Secure Gateway Configuration wizard from the
Secure Gateway Management Console node in this
console. You can also access the Secure Gateway Configuration wizard or the
Secure Gateway Proxy Configuration wizard from
All Programs in the
Start menu of the server running the service or
proxy. Running the Secure Gateway Configuration Wizard requires administrative
Running the Secure Gateway Configuration Wizard requires