Use TLS to secure
the connections between client devices and Secure Gateway. To do this, deploy
TLS/SSL-enabled plugins and configure Secure Gateway at the network perimeter,
typically in a demilitarized zone (DMZ).
connections between users’ Web browsers and the Web Interface using HTTPS.
Additionally, secure communication between the Web Interface and the XenApp
servers using TLS.
shows a detailed view of sample deployment B.1.
In this deployment,
Secure Gateway removes the need to publish the address of every XenApp server
in the farm and provides a single point of encryption and access to the farm.
Secure Gateway does this by providing a gateway that is separate from the
XenApp servers and reduces the issues for firewall traversal to a widely
accepted port for ICA traffic in and out of the firewalls.
Set against the
increased scalability of sample deployment B is the fact that ICA communication
is encrypted only between client devices and Secure Gateway. ICA communication
between Secure Gateway and the XenApp servers is not encrypted.
Note that the SSL
Relay in sample deployment B is used to encrypt communication between the Web
Interface and the XML Service running on the XenApp servers. Secure Gateway
communicates with the XenApp servers directly, so the SSL Relay is not used for
communication between Secure Gateway and the server farm.
To comply with FIPS
140, secure the communication between Secure Gateway and the server farm using
IPSec, as shown in sample deployment B.2.
shows a detailed view of sample deployment B.2, which includes IPSec.