Now we need to configure the Web Interface to to ensure that client connections are directed through the Secure Gateway. If this is not configured, the clients will access the Web Interface through the Secure Gateway but connections to applications will be direct, meaning the client will not use the Secure Gateway connection for applications. Go to Start > All Programs > Citrix > Management Consoles > Citrix Web Interface Management.
Select XenApp Web Sites in the left pane, select the XenApp site in the center, then click Secure Access in the right pane.
I will reconfigure all clients connections on the Web Interface server to use the Secure Gateway connection. If you desire you can select different access methods depending on which network the client is connected to. Highlight Default and click Edit.
In the dropdown list change the Access method to Gateway Direct. Click OK.
Click Next.
Enter the FQDN for the Secure Gateway that clients will use to connect in the web browser. Remember this address needs to be the same as the Issue/Common Name on the certificate you specified earlier for Secure Gateway to use. I will uncheck Enable Session Reliability for now. Click Next.
Click add to specify STAs on our XenApp servers. Again it is a good idea to specify 2 or 3, but I only have one.
Enter the names of your XenApp servers like the example. If you have a non-default XML Service port append that after the FQDN as I have above. Click OK.
Click Finish.
Finally I had to open up an inbound connection on my firewall. It seems that a rule allowing access is not automatically set up by the Secure Gateway installation. Click Start and type “wf.msc” without quotes and press enter.
Highlight Inbound Rules on the left and click New Rule on the right.
Select Port for rule type and click Next.
Select Specific local ports and type in 443 (my screen capture is mistakenly 433, which I had to fix later). click Next.
Choose Allow the connection and click Next.
Click Next.
Type HTTPS or Secure Gateway for a rule name and click Finish.
Test Client Connection Through Secure Gateway
Switch back to your client computer, go into Internet Explorer and type:
https://YourSecureGatewayServer/citrix/xenapp
You should be presented with the same log on screen as with the Web Interface. Make sure that its running through HTTPS. Log on with your user, password, and domain.
The list of published applications this user has authorization for will appear. Click one of the icons and start an application. After a few moments it should appear.
This is the output of “netstat -an” on my client while running an application accessed through the Secure Gateway connection. Notice my only connection to XenApp is through the Secure Gateway/WI server on port 443.
You will need to make sure and allow connections on your firewall for everything to work properly. Here is what I configured in my environment:
Internet to DMZ
TCP port 443 to CSG/WI server
DMZ to XenApp Farm Network
TCP 80 (or non-default port of XML Service)
TCP 443 (if STA traffic encrypted)
TCP 1494 (no session reliability) or TCP 2598 (session reliability)
Congratulations, you’ve now configured a secured method of accessing your Citrix XenApp applications from the internet!
No comments:
Post a Comment