In a single-hop deployment, users can connect to the enterprise network
in two ways. The first is where the Secure Gateway intercepts the client
connection and routes it to the Web Interface. After logging on and
authenticating user credentials, the Secure Gateway handles the connection.
Alternatively, users can be directed to the Web Interface first, where they log
on and then the connection is handled by the Secure Gateway. The first scenario
is referred to as “behind the Secure Gateway.” The second scenario is referred
to as “parallel to the Secure Gateway.”
Certificate Requirements for a Single-Hop DMZ Deployment
If the Secure Gateway is in the DMZ, servers and clients need the
- Root certificates on all
user devices that connect to the server running the Secure Gateway.
- Root certificates on every
Secure Gateway component that connects to a secure server. For example, a root
certificate must be present on the server running the Secure Gateway to verify
the server certificate installed on the server running the STA.
- A server certificate on
the server running the Secure Gateway.
- Optional. A server
certificate on the servers running the STA. The STA is installed by default
when you install Citrix XenApp.
All Secure Gateway components support the use of digital certificates.
Citrix recommends that the communication links between the Secure Gateway and
other servers in the DMZ or secure network be encrypted.
Deployment Scenario A: Secure Gateway in a Single-Hop DMZ
WXYCo Inc. is an audit firm that recently purchased licenses for
The company’s employees are financial auditors who visit client sites
and conduct financial audits. They use a proprietary, client-server auditing
software application, AuditorX. They publish AuditorX on computers running
Citrix XenApp. They also deploy the Web Interface for Web access to their
published resources. Employees can access AuditorX and other published
resources through a Web browser on a user device connected to the LAN.
WXYCo realizes installing the Secure Gateway allows them to provide
secure Internet access to published resources on its server farms. Because the
workforce is largely mobile, use of the Internet to connect to the enterprise
network is expected to reduce remote access costs dramatically.
A secure server farm using a single-hop DMZ.
This figure illustrates a secure enterprise network separated from the
Internet by a single-hop DMZ. The enterprise network contains a server farm
including one server running Citrix XenApp with the Secure Ticket Authority
(STA). The firewall separating the secure network from the DMZ has ports 80,
443, and 1494 open. If session reliability is enabled, port 2598 is open on the
The DMZ contains a single server running the Secure Gateway, and the
Web Interface. Traffic to the Web Interface is proxied through the Secure
Gateway which communicates with the Web Interface using HTTP.
The DMZ is separated from the Internet by a firewall that has port 443
open. The mobile workforce carries notebook PCs running a 32-bit Windows
operating system, Internet Explorer 5.5, and the Citrix online plug-in for
The security analyst recommends securing the communication link
between the Secure Gateway and the STA. To do this, the company purchased two
server certificates from a commercial certificate authority (CA). The server
running the Secure Gateway and the Web Interface have root and server
certificates installed. The server running Citrix XenApp has a server
certificate installed. For more information about certificates, see
Digital Certificates and the Secure Gateway.
Running the Web Interface behind the Secure Gateway in the
In a single-hop DMZ deployment scenario, all incoming traffic is
intercepted by the Secure Gateway. The Web Interface can be installed on the
same server as Secure Gateway or on a separate server. All data exchanged
between user devices and the Web Interface is relayed through the Secure
The firewall facing the Internet has port 443 open. Users connect to
the Secure Gateway using a URL such as https://Secure Gateway
Secure Gateway FQDN is the fully qualified domain
name for the server running the Secure Gateway.
||A single server certificate is required on the
server running the Secure Gateway and the Web Interface.
||A single port, 443, must be opened on the
firewall facing the Internet.
||The Web Interface cannot be contacted directly
from the Internet and is more secure.
||Deploying the Secure Gateway in this
configuration affects Web Interface functionality. When you deploy the Secure
Gateway in this configuration, you lose some of the features available with the
Web Interface, including the following:
||Smart Card Authentication.
The Secure Gateway negotiates the SSL handshake and terminates the SSL
connection before forwarding the client connection request to the Web
Interface. Smart card authentication integrated with the Web Interface is
unavailable because the Secure Gateway terminates the SSL connection before it
reaches the Web Interface.
||Firewall and Proxy Settings Requiring
Knowledge of the Client IP Address Are Ineffective. All communication
from the user device to the Web Interface is proxied through the Secure
Gateway. As a result, all client communications to the Web Interface originate
from the IP address of the server running the Secure Gateway. Though you can
still configure firewall and proxy settings on the Web Interface for specific
client address prefixes, these settings must allow all client communications
through the Secure Gateway to have the Web Interface IP address. You will not
be able to distinguish between different user devices connecting through the
Citrix recommends deploying the Secure Gateway in this configuration
if your network is small to medium sized, with a usage profile of hundreds of
users. This type of deployment is optimal when users are connecting over the
Internet to the Secure Gateway.
Locking Down Internet Information Services
All traffic to the server running the Web Interface is proxied through
the server running the Secure Gateway. Lockdown Internet Information Services
(IIS) to allow only the Secure Gateway to communicate with the Web Interface.
For instructions about configuring IIS to explicitly grant or deny
access to applications or Web sites, refer to the IIS documentation that ships
with your version of Microsoft Windows Server.
Running the Web Interface Parallel with the Secure Gateway
In this configuration, the Secure Gateway and the Web Interface are
installed on separate servers. Users can connect directly to the Web Interface.
Users connect directly to the Web Interface, using a URL such as
https://Web Interface FQDN/citrix/AccessPlatform or
https://Web Interface FQDN/citrix/XenApp, where
Web Interface FQDN is the fully qualified domain
name for the server running the Web Interface.
Citrix recommends securing both servers by installing a server
certificate on each server running the Secure Gateway and the Web Interface.
Open port 443 on the firewall facing the Internet.
You want to use the features available with the Web Interface,
including smart card authentication and firewall and proxy settings that depend
on knowing the client IP address.
Setting Up the Web Interface and the Secure Gateway in a
Single-Hop Demilitarized Zone
In this scenario, the Web Interface and the Secure Gateway are hosted
on the same server in the DMZ. Install and configure the Web Interface before
you install the Secure Gateway.
- Install the Web Interface
on the server reserved for the Secure Gateway and the Web Interface.
- Add and configure server
farms for use with the Web Interface.
- Use a Web browser on a
user device to connect and log on to the Web Interface.
- Verify that you can launch
- Configure the Secure
Gateway and include the FQDN for the STA.
The Secure Gateway is installed on the same server as the Web
Interface in the DMZ.