Product Documentation

XenApp and Secure Gateway

Oct 09, 2015

The Secure Gateway for Windows helps you to secure access to enterprise network computers running Citrix XenApp and provides a secure Internet gateway between Citrix XenApp and user devices. The Secure Gateway transparently encrypts and authenticates all user connections to help protect against data tampering and theft. All data traversing the Internet between a remote workstation and the Secure Gateway is encrypted using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol.

The Secure Gateway is an application that runs as a service on a server that is deployed in the demilitarized zone (DMZ). The server running the Secure Gateway represents a single point of access to the secure, enterprise network. The Secure Gateway acts as an intermediary for every connection request originating from the Internet to the enterprise network. For increased security, the Secure Gateway Proxy is used with the Secure Gateway in a double-hop DMZ deployment. The Secure Gateway is installed in the first DMZ and the Secure Gateway Proxy is installed in the second DMZ. The Secure Gateway Proxy acts as a conduit for traffic originating from the Secure Gateway to servers in the secure network, and from servers in the secure network to the Secure Gateway.

Your enterprise network can contain one or more servers running Citrix XenApp. A server farm is used for hosting published resources that users can access over the network.

The Secure Gateway works with the following components of Citrix XenApp for logon and authentication:

Citrix Web Interface
Provides user access to published resources in a server farm from a Web browser. The Web Interface works with the Secure Gateway to provide a logon interface, and facilitates authentication and authorization of connection requests to the server farm.
Secure Ticket Authority (STA)
The STA is responsible for issuing session tickets in response to connection requests for published resources on Citrix XenApp. These session tickets form the basis of authentication and authorization for access to published resources. During installation of Citrix XenApp, the STA is installed automatically. It is no longer necessary to reserve a separate server for the STA.
Citrix XML Service
When the Secure Gateway provides secure access to published resources available in a server farm, the Citrix XML Service is contacted for published resources availability and location. The Citrix XML Service is the point of contact for a server farm and provides an HTTP interface to the user device. It uses the TCP protocol instead of UDP, which allows connections to work across most firewalls. The default port for the Citrix XML Service is 80. Ensure that this port is configured, functioning correctly, and is accessible through the firewall in front of the secure network.
Citrix Online Plug-in Web
You can use Citrix online plug-in web to access resources available from the Web Interface and for access to resources published with traditional Application Launching and Embedding (ALE).
Important: The Secure Gateway and Secure Gateway Proxy are not supported in environments using Advanced Access Control.

Secure Gateway Features

Designed-in security
The Secure Gateway provides authentication, authorization, and cryptography functionality that is consistent with Microsoft’s best practices for secure software.
Network protocol support
The Secure Gateway supports the TCP/IP protocols, such as FTP, HTTP, and Telnet.
IPv4 and IPv6 protocol support
The Secure Gateway can be configured to accept inbound connections from clients using IPv4 and IPv6 addresses.
Secure Socket Layer support
The Secure Gateway provides SSL support to secure communication between the client and the Secure Gateway components.
Simple deployment
Citrix XenApp includes the Secure Ticket Authority (STA) and is merged into a single Windows Installer package resulting in a more efficient deployment. The STA is deployed automatically on the same computer as Citrix XenApp, resulting in a reduction of the number of computers required for basic deployment Internet Information Server is no longer a requirement for installing the STA Internet Information Server deployment is a supported option during installation of Citrix XenApp.
Certificate management
The Secure Gateway Configuration wizard prevents the selection of a certificate that does not have a private key and verifies that the appropriate certificate is installed in the local computer certificate store. Wildcard certificate support. Wildcard certificates can be deployed on the Secure Gateway, the Secure Gateway Proxy, and on the computer where Citrix XenApp is hosting the STA.
Load balancing
The Secure Gateway provides load balancing for the Secure Gateway Proxy. IP addresses are retrieved from the DNS using a domain name or listed individually.
The Secure Gateway uses the Apache standard access log files and supports log rotation functionality for the access log files. The access log files provide connection information to the Secure Gateway or the Secure Gateway Proxy.
The Secure Gateway includes a new set of performance counters to analyze the usage and load on the Secure Gateway server.
Based on Apache Technology
The software code based on Apache technology is used as a foundation for building the Secure Gateway.
Section 508 compliance
Secure Gateway is compliant with Section 508 of the United States Workforce Rehabilitation Act of 1973.
Session reliability
Improvements in session reliability benefit both mobile and local users by having their work items remain open when network connectivity is lost, and then seamlessly resumed when connectivity is restored. This feature is especially useful for mobile users with wireless connections that are interrupted or dropped. When a session connection is interrupted, all open windows to published resources remain visible while reconnection is attempted automatically in the background.
Relay mode
Secure Gateway can be installed in relay mode for internal secure communications. Relay mode can be used in secure corporate environments such as intranets, LANs, and WANs. Relay mode is not recommended for external connections from the Internet to a server farm or server access farm.
Supports single-hop or double-hop DMZ deployment
The Secure Gateway can be installed to span a single-hop or a double-hop DMZ. If your DMZ is divided into two stages, install the appropriate Secure Gateway component in each DMZ segment to securely transport HTTP/S and ICA traffic to and from the secure network.
Supports secure communication between the Secure Gateway components
The Secure Gateway components support the use of digital certificates and the task of securing links by using SSL/TLS between components.
Configuration, management, and diagnostic tools
The Secure Gateway Management Console is a Microsoft Management Console (MMC) snap-in you can use to manage, analyze, and troubleshoot a Secure Gateway deployment. The Secure Gateway Diagnostics tool, available from the Secure Gateway Management Console, reports configuration values, certificate details, and the state of each configured component.
Minimal client configuration
User devices require no preinstalled software for security. Remote, secure access is easy to support, requiring little effort from IT staff.
Certificate–based security
The Secure Gateway uses standard Public Key Infrastructure (PKI) technology to provide the framework and trust infrastructure for authentication and authorization.
Standard encryption protocols
The Secure Gateway uses industry-standard SSL or TLS encryption technology to secure Web and application traffic between the client and server. Connections between clients and the Secure Gateway are encrypted using SSL or TLS protocols. You can further enhance security by forcing the Secure Gateway to restrict its use of ciphersuites to commercial or government ciphersuites certified for Federal Information Processing Standard (FIPS) 140 requirements.
Authentication and authorization
The Secure Gateway works with the Web Interface to facilitate authentication of users attempting to establish connections to a server farm. Authorization occurs when the Secure Gateway confirms that the user is authenticated by the enterprise network. The authorization process is entirely transparent to the user.
Single point of entry
The need to publish the address of every Citrix XenApp server is eliminated and server certificate management is simplified. The Secure Gateway allows a single point of encryption and access to computers running Citrix XenApp.
Firewall traversal
Connections from clients are secured with standard protocols using ports typically open on corporate firewalls. This allows easy traversal of firewalls without custom configuration.
Ease of installation and management
Adding the Secure Gateway to an existing server farm is relatively quick and simple, and requires minimal configuration, significantly reducing time and management costs.
Reliability and fault tolerance
The solution allows implementation of duplicate components to enable a redundant system. Large arrays can be built using industry-standard SSL load balancing systems for scalability. Even if hardware fails, the server farm remains protected.
Scalable and extensible solution
A single server running the Secure Gateway can support a small corporate site consisting of hundreds of users. You can support medium to large sites catering to thousands of users connecting to an array of load balanced servers running the Secure Gateway. The Secure Gateway components do not require special hardware devices or network equipment upgrades.
Event and audit logging
Critical and fatal system events are logged to the Secure Gateway application log, enabling administrators to help diagnose system problems. Logging levels are configurable and can be set from the user interface. Depending on the configured logging level, you can retrieve a complete record of network connection attempts to the Secure Gateway. You can also configure the Secure Gateway to omit log entries for polls from network equipment such as load balancers.

Planning a Secure Gateway Deployment

The deployment of the Secure Gateway depends on several factors, including which Citrix components you have in your enterprise network. The Secure Gateway is designed to work with Citrix XenApp.

If your enterprise network contains a server farm, you can deploy the Secure Gateway to provide secure Internet access to published resources. In such deployments, the Secure Gateway works with the Web Interface to provide authentication, authorization, and redirection to published resources hosted on a Citrix XenApp server.

To ensure that the security of the Secure Gateway is not compromised, Citrix recommends reserving servers for the exclusive use of the Secure Gateway.

Note: Citrix recommends setting up the Secure Gateway in a test environment before implementation to your production environment to make sure all of the features work correctly.

Place the Secure Gateway in the DMZ between two firewalls for maximum protection. In addition, physically secure the DMZ to prevent access to the firewalls and servers within the DMZ. A breach of your DMZ servers may, at best, create an annoyance in the form of downtime while you recover from the security breach.

Important: Citrix recommends that you configure your firewalls to restrict access to specific TCP ports only. If you configure your firewalls to allow access to TCP ports other than those used for HTTP, ICA, SSL, and XML data, you may allow users to gain access to unauthorized ports on the server.

Installing the Secure Ticket Authority

When Citrix XenApp is installed, the Secure Ticket Authority (STA) is installed and configured automatically.

The STA eliminates the requirement for Microsoft’s Internet Information Services (IIS). The STA can be hosted by the Citrix XML Service. If the STA is hosted by the Citrix XML Service, configure the Citrix SSL Relay.

During installation of the Secure Gateway, enter the FQDN of the server running Citrix XenApp. If you are using an SSL-enabled connection between the Secure Gateway and the STA, make sure the correct certificates are installed from a certificate authority.

Testing Your Deployment

After you complete installation and configuration of the Secure Gateway, test your deployment to make sure it works and is accessible through the Internet.

If you encounter problems loading the logon page, try working your way through the deployment steps to figure out the problem.

You can also run the Secure Gateway Diagnostics tool to find a solution. This utility contacts all servers running the Secure Gateway components and generates a report containing configuration and status information for each component. For more information, see Generating the Secure Gateway Diagnostics Report.

To test your deployment

  1. Use a web browser on the user device to connect to the Secure Gateway; for example, or https://Web Interface FQDN/Citrix/XenApp.
  2. Log on with the domain credentials. After a brief interval, the Applications page containing icons for published resources appears.
  3. Verify that you can start published applications from this page.