copy of the End User License Agreement is included on your product CD-ROM.
Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.
© 2005 - 2006 Citrix Systems, Inc. All rights reserved.
Citrix, ICA (Independent Computing Architecture) and Program Neighborhood are registered trademarks, and Citrix Presentation Server, Access Gateway, and SpeedScreen are trademarks of Citrix Systems, Inc. in the United States and other countries.
RSA © 1996-1997 RSA Security Inc., All Rights Reserved.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org). AOL Instant Messenger is a registered trademark of America Online, Inc.
McAfee Personal Firewall Plus is a registered trademark of McAfee, Inc.
Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation.
ZoneAlarm is a trademark or registered trademark of Zone Labs LLC in the United States and other countries.
Win32 Client: Portions of this software are based on code owned and copyrighted by O'Reilly Media, Inc. 1998. (CJKV Information Processing, by Ken Lunde. ISBN: 1565922247.) All rights reserved.
Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright © 2005 Macrovision Corporation. All rights reserved.
Trademark Acknowledgements
Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.
Apple, LaserWriter, Mac, Macintosh, Mac OS, and Power Mac are registered trademarks or trademarks of Apple Computer Inc. SafeWord Remote Access, SafeWord for Citrix, and SafeWord PremierAccess are registered trademarks or trademarks of Secure Computing Corporation.
Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product. Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Windows 2000 Professional, Windows 2000 Server, Windows XP Home Edition, Windows XP Professional, Windows Server 2003, Win32, Outlook, ActiveX, Active Directory, MSN Messenger, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Firefox is a trademark of the Mozilla Foundation.
BlackICE PC Protection is trademark of Network Ice Corporation. ICQ is a trademark or servicemark of ICQ.
UNIX is a registered trademark of The Open Group. Softerra is a trademark of Softerra LLC.
Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation. All other trademarks and registered trademarks are the property of their respective owners.
Contents
Chapter 1
Introduction
How to Use This Guide . . . .13
Document Conventions . . . .13
Getting Service and Support. . . .14
Subscription Advantage . . . .15
Knowledge Center Watches . . . .15
Education and Training . . . .15
Related Documentation. . . .16
Chapter 2
Introducing Citrix Access Gateway
Access Gateway Technologies . . . .17Access Gateway Modes of Operation . . . .18
Functions of the Access Gateway . . . .19
New Features. . . .19
Chapter 3
Planning Your Deployment
Deploying the Access Gateway . . . .23Access Gateway in the Network DMZ . . . .24
Installing the Access Gateway in the DMZ . . . .25
Access Gateway Connectivity in the DMZ . . . .25
Access Gateway in a Secure Network . . . .25
Access Gateway Connectivity in a Secure Network . . . .26
Security Considerations . . . .26
Configuring Secure Certificate Management . . . .26
Authentication Support . . . .27
Deploying the Access Gateway with Citrix Presentation Server . . . .28
Deploying the Access Gateway in the DMZ with Citrix Presentation Server. .28 Deploying the Access Gateway in a Double-Hop DMZ . . . .32
Deploying Additional Appliances for Load Balancing and Failover . . . .33
Deploying Access Gateway Advanced Edition . . . .34
Multiple Servers in an Access Server Farm . . . .36
Chapter 4
Installing the Access Gateway for the First Time
Getting Ready to Install the Access Gateway . . . .37Materials and Information Needed for Installation. . . .37
Setting Up the Access Gateway Hardware . . . .38
Configuring TCP/IP Settings for the Access Gateway . . . .39
Configuring TCP/IP Settings Using the Serial Console. . . .39
Configuring TCP/IP Settings Using Network Cables . . . .41
Configuring TCP/IP Settings for a Double-Hop Deployment . . . .44
Restarting the Access Gateway. . . .44
Chapter 5
Configuring the Access Gateway for Your Network Environment
Installing Licenses. . . .45Obtaining Your License Files . . . .46
Configuring Licenses for Multiple Appliances . . . .48
Information about Your Licenses . . . .49
Updating Existing Licenses. . . .49
Licensing Grace Period . . . .50
Testing Your License Installation . . . .50
Creating and Installing Certificates . . . .51
Overview of the Certificate Signing Request . . . .51
Creating a Certificate Signing Request. . . .52
Installing a Certificate and Private Key from a Windows Computer . . . .55
Installing Root Certificates on the Access Gateway. . . .55
Installing Multiple Root Certificates. . . .56
Configuring Additional Network Settings . . . .57
Configuring Name Service Providers . . . .57
Editing the HOSTS File . . . .58
Configuring Dynamic and Static Routes . . . .58
Configuring the Date and Time on the Access Gateway. . . .63
Configuring a Network Time Protocol Server . . . .63
Using the Default Portal Page. . . .64
Installing Secure Access Client for Linux . . . .66
Chapter 6
Configuring Authentication and Authorization
Choosing When to Configure Authentication on the Access Gateway. . . .70
Configuring Authentication on the Access Gateway. . . .70
Configuring the Default Realm . . . .72
Creating Additional Realms . . . .73
Configuring Local Authentication . . . .74
Configuring Local Users. . . .75
Adding Users to Multiple Groups. . . .76
Changing Password for Users . . . .76
Configuring LDAP Authentication and Authorization . . . .77
Configuring LDAP Authorization . . . .81
LDAP Authorization Group Attribute Fields . . . .82
Using Certificates for Secure LDAP Connections . . . .83
Determining Attributes in your LDAP Directory. . . .83
Configuring RADIUS Authentication and Authorization . . . .85
RADIUS Authorization. . . .87
Choosing RADIUS Authentication Protocols . . . .88
Configuring RSA SecurID Authentication . . . .88
Configuring RSA Settings for a Cluster . . . .92
Resetting the Node Secret . . . .92
Configuring Secure Computing SafeWord Authentication. . . .92
Configuring SafeWord Settings on the Access Gateway. . . .93
Configuring Authorization with SafeWord . . . .94
Configuring NTLM Authentication and Authorization. . . .94
Configuring NTLM Authorization . . . .96
Configuring Double-Source Authentication . . . .97
Changing Password Labels. . . .98
Chapter 7
Configuring Network Access and Group Resources
Configuring Network Routing . . . .99Providing Network Access to Users. . . .100
Enabling Split Tunneling and Accessible Networks . . . .101
Configuring User Groups . . . .103
Configuring Access Control Lists. . . .103
Creating Local User Groups . . . .104
Configuring Resource Groups . . . .104
Creating User Groups . . . .106
Configuring Resources for a User Group. . . .107
Configuring User Membership in Multiple Groups . . . .108
Configuring Network Resources . . . .108
Allowing and Denying Network Resources and Application Policies . . . .111
Setting Application Policies . . . .112
Configuring End Point Policies and Resources . . . .114
Configuring End Point Resources. . . .114
Building an End Point Policy for a Group . . . .116
Setting the Priority of Groups. . . .117
Configuring Pre-Authentication Policies . . . .119
Chapter 8
Configuring User Connections for Secure Access Client
System Requirements . . . .122Operating Systems. . . .122
Web Browsers . . . .122
How User Connections Work. . . .123
Establishing the Secure Tunnel. . . .123
Tunneling Private Network Traffic over Secure Connections . . . .124
Terminating the Secure Tunnel and Returning Packets to the Client . . . .126
Supporting the Secure Access Client . . . .127
Configuring Proxy Servers for the Secure Access Client . . . .128
Configuring Secure Access Client to Work with Non-Administrative Users .129 Configuring Single Sign-on with Windows Operating System . . . .129
Connecting with Earlier Versions of the Secure Access Client . . . .130
Connecting Using a Web Address . . . .131
Installing the ActiveX Helper . . . .132
Logging on Using the Secure Access Client . . . .132
Connections Using Kiosk Mode. . . .136
Creating a Kiosk Mode Resource . . . .139
Configuring Client Applications for Kiosk Mode . . . .139
Configuring File Shares for Kiosk Mode . . . .143
Configuring Authentication Requirements after Network Interruption . . . .144
Configuring Other Group Properties . . . .145
Enabling IP Pooling. . . .146
Enabling Split DNS . . . .147
Enabling Internal Failover. . . .147
Enabling Domain Logon Scripts. . . .147
Enabling Secure Access Client Session Time-Outs . . . .148
Configuring Web Session Time-Outs. . . .149
Closing and Disabling User Connections. . . .150
How the Access Gateway Handles Connections . . . .151
Closing a Connection to a Resource . . . .151
Disabling and Enabling a User . . . .152
Requiring Client Certificates for Authentication . . . .152
Defining Client Certificate Criteria. . . .153
Using Client Certificates with Access Gateway Advanced Edition . . . .155
Installing Root Certificates . . . .155
Obtaining a Root Certificate from a Certificate Authority. . . .155
Installing Root Certificates on a Client Device . . . .156
Selecting an Encryption Type for Client Connections. . . .156
Supporting Voice over IP Softphones . . . .157
Improving Voice over IP Connections . . . .158
Chapter 9
Configuring Logon and Portal Pages for Secure Access Client
Configuring Access Gateway Logon Pages. . . .159Enabling Logon Page Authentication . . . .159
Customizing the Logon Page . . . .160
Access Gateway Portal Page Templates . . . .161
Downloading and Working with Portal Page Templates . . . .161
Including the ActiveX Control . . . .163
Installing Custom Portal Page Files . . . .163
Linking to Clients from Your Web Site . . . .164
Choosing a Portal Page for a Group . . . .165
Configuring a Portal Page with Multiple Logon Options . . . .165
Logging On Using Double-Source Authentication . . . .166
Logging On When Pre-Authentication Policies are Configured . . . .166
Chapter 10
Providing Access to Published Applications
How User Connections to a Server Farm Work. . . .168Replacing the Secure Gateway. . . .170
Preparing to Migrate to the Access Gateway . . . .173
Migrating from the Secure Gateway to the Access Gateway. . . .174
Monitoring the Access Gateway after Installation . . . .177
Configuring the Web Interface. . . .177
Deploying the Web Interface Parallel to the Access Gateway in the DMZ . .177 Deploying the Web Interface behind the Access Gateway in the DMZ . . . . .179
Configuring the Web Interface for Authentication . . . .180
Setting Up and Testing the Web Interface . . . .181
Configuring the Web Interface . . . .182
Configuring the Secure Ticket Authority. . . .184
Configuring ICA Access Control . . . .185
Using the Web Interface as a Logon Page . . . .186
Configuring Single Sign-On to the Web Interface. . . .187
Configuring the Access Gateway for Single Sign-On to the Web Interface . .188 Configuring the Web Interface for Single Sign-On . . . .189
Enabling Session Reliability. . . .191
Chapter 11
Deploying the Access Gateway in a Double-Hop Demilitarized Zone
Communication Flow in a Double-Hop DMZ Configuration . . . .195Client Authentication. . . .195
Session Ticket Creation. . . .196
Connection Completion. . . .197
Preparing for a Double-Hop DMZ Deployment . . . .198
Supporting Load Balancing. . . .198
Using Logon Page Authentication in a Double-Hop DMZ . . . .199
Planning the Access Gateway Administration Tool Installation . . . .201
Opening Ports and Managing Certificates . . . .203
Components Required to begin the Deployment . . . .203
Installing the Access Gateway in a Double-Hop DMZ . . . .204
Step 1: Installing an Access Gateway in the First DMZ . . . .204
Step 2: Enabling or Disabling Logon Page Authentication . . . .205
Step 3: Configuring the Access Gateway to Redirect Connections to the Web In-terface. . . .205
Step 4: Installing an Access Gateway in the Second DMZ . . . .207
Step 5: Configuring the Access Gateway to Communicate with the Access Gate-way Proxy . . . .207
Step 6: Configuring the Access Gateway Proxy to Communicate with the Access Gateway . . . .209
Step 7: Configuring the Access Gateway to Handle Secure Ticket Authority and ICA Traffic . . . .210
Step 8: Opening the Appropriate Ports on the Firewalls . . . .211
Client Connection Process in a Double-Hop DMZ Deployment . . . .217
Client Authentication. . . .217
Session Ticket Creation. . . .218
Client Launch . . . .218
Connection Completion. . . .219
Chapter 12
Maintaining the Access Gateway
Access Gateway Administration Tools . . . .222The Administration Tool. . . .222
The Administration Portal. . . .223
Monitoring the Access Gateway with the Administration Desktop. . . .225
Upgrading the Access Gateway Software . . . .226
Installing the Software Upgrade . . . .228
Reinstalling the Access Gateway Software . . . .228
Saving and Restoring the Access Gateway Configuration . . . .229
Restarting and Shutting Down the Access Gateway . . . .230
Restarting the Access Gateway. . . .230
Shutting Down the Access Gateway. . . .230
Initializing the Access Gateway . . . .231
Allowing ICMP Traffic . . . .231
Configuring Third-Party Personal Firewalls . . . .232
BlackICE PC Protection . . . .233
McAfee Personal Firewall Plus. . . .233
Norton Personal Firewall. . . .233
Sygate Personal Firewall (Free and Pro Versions) . . . .233
Tiny Personal Firewall . . . .234
ZoneAlarm Pro . . . .234
Chapter 13
Installing Additional Access Gateway Appliances
Creating a Cluster of Access Gateway Appliances . . . .236Configuring Multiple Appliances to Use a Load Balancer . . . .239
Configuring Load Balancing. . . .240
Appendix A
Monitoring the Access Gateway
Viewing and Downloading System Message Logs . . . .245
Viewing Secure Access Client Connection Logs . . . .246
Forwarding System Messages to a Syslog Server . . . .247
Enabling and Viewing SNMP Logs . . . .247
Multi Router Traffic Grapher Example . . . .248
Viewing System Statistics . . . .249
Monitoring Access Gateway Operations . . . .250
Appendix B
Securing Connections with Digital Certificates
Introduction to Security Protocols, Cryptography, and Digital Certificates . . . . .253Introduction to Security Protocols . . . .253
Introduction to Cryptography . . . .254
Digital Certificates and Certificate Authorities . . . .257
Getting Certificates . . . .260
If Your Organization Is its Own Certificate Authority. . . .261
If Your Organization Is not its Own Certificate Authority . . . .261
Getting Server Certificates . . . .262
Digital Certificates and Access Gateway Operation . . . .262
Using Windows Certificates. . . .262
Unencrypting the Private Key. . . .263
Converting to a PEM-Formatted Certificate. . . .264
Combining the Private Key with the Signed Certificate . . . .264
Generating Trusted Certificates for Multiple Levels . . . .265
Requiring Certificates for Internal Connections . . . .266
Using Wildcard Certificates . . . .267
Appendix C
Examples of Configuring Network Access
Configuration Examples . . . .270Scenario for Configuring LDAP Authentication and Authorization. . . .271
Preparing for the LDAP Authentication and Authorization Configuration. . .271
Configuring the Access Gateway to Support Access to the Internal Network Re-sources . . . .276
Scenario for Creating Guest Accounts Using the Local Users List. . . .285
Creating a Guest User Authentication Realm. . . .286
Creating Local Users . . . .287
Creating and Assigning a Network Resource to the Default User Group . . . .287
Appendix D
Troubleshooting the Access Gateway
Troubleshooting Web Interface Connections. . . .291
Web Interface Appears without Typing Credentials . . . .291
Applications do not Appear after Logging On . . . .291
Users are Sent to a Logon Page that Asks to Start the Secure Access Client .292 Other Issues. . . .292
License File Does not Match Access Gateway. . . .292
Defining Accessible Networks Subnet Restriction. . . .293
VMWare . . . .293
ICMP Transmissions . . . .293
Ping Command . . . .293
LDAP Authentication . . . .293
End Point Policies . . . .294
Network Resources . . . .294
Kiosk Connections. . . .294
Internal Failover . . . .294
Certificate Signing. . . .294
Certificate Revocation Lists . . . .295
Network Messages to Non-Existent IPs . . . .295
The Access Gateway Does not Start and the Serial Console Is Blank. . . .295
The Administration Tool Is Inaccessible . . . .295
Devices Cannot Communicate with the Access Gateway . . . .296
Using Ctrl-Alt-Delete to Restart the Access Gateway Fails . . . .296
SSL Version 2 Sessions and Multilevel Certificate Chains . . . .296
H.323 Protocol. . . .296
Certificates Using 512-Bit Keypairs . . . .296
Unable to Restrict Drive Mapping with an Application Policy . . . .296
Secure Access Client. . . .297
Secure Access Client Connections with Windows XP. . . .297
DNS Name Resolution Using Named Service Providers. . . .297
Auto-Update Feature . . . .297
Client Connections from a Windows Server 2003 . . . .297
NTLM Authentication. . . .297
WINS Entries. . . .298
Introduction
This chapter describes who should read the Citrix Access Gateway Administrator’s Guide, how it is organized, and its document conventions.
How to Use This Guide
This user guide is intended for system administrators responsible for installing and configuring the Access Gateway. This document assumes that the Access Gateway is connected to an existing network and that the administrator has experience configuring that network
The configuration steps in this document assume that the Access Gateway is deployed as a standalone appliance and that users connect directly to the Access Gateway.
This user guide also has information for configuring the Access Gateway to work with Citrix Presentation Server and Access Gateway Advanced Edition. For more information, see “Providing Access to Published Applications” on page 167 and “Deploying Access Gateway Advanced Edition” on page 34.
Document Conventions
Access Gateway documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:
Convention Meaning
Boldface Commands, names of interface items such as text boxes, option buttons, and user input.
Italics Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics also are used for new terms and the titles of books. %SystemRoot% The Windows system directory, which can be WTSRV, WINNT,
WINDOWS, or other name you specify when you install Windows.
Getting Service and Support
Citrix provides technical support primarily through the Citrix Solution Advisors. Our Citrix Solutions Advisor partners are trained and authorized to provide a high level of support to our customers. Contact your supplier for first-line support or check for your nearest CSN partner at http://www.citrix.com/support/.
In addition to the CSN channel program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center at
http://support.citrix.com/. Knowledge Center features include:
• A knowledge base containing thousands of technical solutions to support your Citrix environment
• An online product documentation library
• Interactive support forums for every Citrix product • Access to the latest hotfixes and service packs • Security bulletins
• Online problem reporting and tracking (for organizations with valid support contracts)
Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organization’s Citrix products.
{ braces } A series of items, one of which is required in command statements. For example, { yes | no } means you must type yes or no. Do not type the braces themselves.
[ brackets ] Optional items in command statements. For example, [/ping] means that you can type /ping with the command. Do not type the brackets themselves.
| (vertical bar) A separator between items in braces or brackets in command statements. For example, { /hold | /release | /delete } means you type
/hold or
/release or /delete.
… (ellipsis) You can repeat the previous item or items in command statements. For example, /route:devicename[,…] means you can type additional
devicenames separated by commas.
Subscription Advantage
Your product includes a one-year membership in the Subscription Advantage program. The Citrix Subscription Advantage program gives you an easy way to stay current with the latest software version and information for your Citrix products. Not only do you get automatic access to download the latest feature releases, software upgrades, and enhancements that become available during the term of your membership, you also get priority access to important Citrix technology information.
You can find more information on the Citrix Web site at
http://www.citrix.com/services/ (select Subscription Advantage). You can also contact your sales representative, Citrix Customer Care, or a member of the Citrix Solutions Advisors program for more information.
Knowledge Center Watches
The Citrix Knowledge Center allows you to configure watches. A watch notifies you if the topic you are interested in was updated. Watches allow you to stay notified of updates to Knowledge Base or Forum content. You can set watches on product categories, document types, individual documents, and on Forum product categories and individual topics.
To set up a watch, log on to the Citrix Support Web site at
http://support.citrix.com. After you are logged on, in the upper right corner, click My Watches and follow the instructions.
Education and Training
Citrix offers a variety of instructor-led training and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site.
Related Documentation
For additional information about the Access Gateway, refer to the following guides:
Introducing Citrix Access Gateway
Citrix Access Gateway is a universal Secure Socket Layer (SSL) virtual private network (VPN) appliance that provides a secure single point-of-access to any information resource — both data and voice. Combining the best features of Internet Protocol Security (IPSec) and SSL VPN, without the costly and cumbersome implementation and management, the Access Gateway works through any firewall and supports all applications and protocols. It is fast, simple, and cost-effective to deploy and maintain with a Web-deployed and automatically updating client. Users receive a consistent desk-like user experience with “always-on” connectivity, an integrated worm-blocking client, and integrated end-point scanning. With the Citrix Access Gateway, organizations can quickly and easily deploy one product for all of their secure remote access needs.
The Access Gateway gives the remote user seamless, secure access to authorized applications and network resources. Remote users can work with files on network drives, email, intranet sites, and applications just as if they are working inside of their organization’s firewall.
The following topics provide an overview to the Access Gateway: • Access Gateway Technologies
• Access Gateway Modes of Operation • New Features
Access Gateway Technologies
The Access Gateway is quick and easy to deploy and simple to administer. The most typical deployment configuration is to locate the Access Gateway behind your firewall or in the demilitarized zone (DMZ). More complex deployments, such as with a server load balancer or in a double-hop DMZ, are also supported. The first time the Access Gateway is started, use the Access Gateway
for authentication, authorization, and group-based access control, kiosk mode, end point resources and polices, portal pages, and IP pools.
For more information about installing the Access Gateway, see Getting Started with Citrix Access Gateway Standard Edition or “Installing the Access Gateway for the First Time” on page 37.
Access Gateway Modes of Operation
The Access Gateway can be used in one of four ways:
Connections through the appliance only. In this scenario, the Access Gateway is installed as a standalone appliance in the DMZ. Users connect directly to the Access Gateway using the Secure Access Client and then have access to network resources, such as email and Web servers.
Connections using the Web Interface and Citrix Presentation Server. In this scenario, users log on to the Web Interface and then are connected to their applications on Citrix Presentation Server. Depending on how the Access Gateway is deployed with Presentation Server, users can connect with just Citrix Presentation Server Clients, Secure Access Client, or have simultaneous
connections using both clients. For more information, see “Providing Access to Published Applications” on page 167.
Connections using Access Gateway Advanced Edition. In this scenario, the Access Gateway is installed in the DMZ. Initial TCP/IP settings for the appliance are configured during installation of the appliance. Advanced settings to manage the Access Gateway are configured using the Access Management Console included with Access Gateway Advanced Edition. For more information, see “Deploying Access Gateway Advanced Edition” on page 34 or the Citrix Access Gateway Advanced Edition Administrator’s Guide.
Connections using kiosk mode. The Access Gateway also provides kiosk mode, which opens a virtual network computing-like connection to the Access Gateway. Kiosk mode can include shared network drives, a variety of built-in clients, servers running Windows Terminal Services (Remote Desktop), and client applications. For more information about kiosk mode, see “Connections Using Kiosk Mode” on page 136.
Functions of the Access Gateway
The Access Gateway performs the following functions: • Authentication
• Termination of encrypted sessions • Access control (based on permissions)
• Data traffic relay (when the first three functions are met)
As a standalone appliance in the DMZ, the Access Gateway operates as follows: • A remote user downloads the Secure Access Client by connecting to a
secure Web address and providing authentication credentials.
• After downloading the Secure Access Client, the user logs on. When the user successfully authenticates, the Access Gateway establishes a secure tunnel.
• As the remote user attempts to access network resources across the VPN tunnel, the Secure Access Client encrypts all network traffic destined for the organization’s intranet and forwards the packets to the Access Gateway. • The Access Gateway terminates the SSL tunnel, accepts any incoming
traffic destined for the private network, and forwards the traffic to the private network. The Access Gateway sends traffic back to the remote computer over a secure tunnel.
New Features
Configurable symmetric encryption ciphers. You can select the specific cipher that the Access Gateway uses for symmetric data encryption on an SSL
connection. You can select one of these three encryption ciphers: • RC4 128 Bit, MD5/SHA
• 3DES, SHA
• AES 128/256 Bit, SHA
Automatic detection of proxy server settings. In this release, the Secure Access Client automatically detects the proxy server settings specified in the operating system.
Secure Access Client connections. The Secure Access Client included in this release can connect to earlier versions of the Access Gateway. Also, earlier versions of the Secure Access Client can connect to this release of the Access Gateway if enabled on the Global Cluster Policies tab.
Automatic port redirection. You can configure the Access Gateway so that any unsecure HTTP connection attempt on port 80 is automatically redirected by the Access Gateway to a secure HTTPS connection attempt on port 443 (or other administrator-specified port).
Disable desktop sharing. You can disable the desktop sharing feature of the Secure Access Client for a user group. The Secure Access Client desktop sharing feature allows a user to view a list of all other users who are logged on. If this capability causes privacy concerns for your organization, you can disable the desktop sharing feature to prevent a specific group of users from viewing the list of online users.
Additional control over Secure Access Client connections. You can configure the Secure Access Client to disconnect from the Access Gateway if there is no user activity on the connection for a specific time interval. You can also force a client disconnection if the connection remains active for a specific time interval or if the Access Gateway does not detect keyboard or mouse activity.
Disable kiosk mode. In this release, you can disable kiosk mode for client connections. When kiosk mode is disabled, users do not see the kiosk link on the Web portal page. Users are only allowed to log on using the full Secure Access Client or Citrix Presentation Server Clients.
Updated licensing. Licensing for the Access Gateway has changed to allow one Access Gateway to be a license server for all deployed appliances. Licenses are installed on one Access Gateway and the other appliances in the network are configured to obtain their licenses from the primary Access Gateway.
Voice over IP softphone support. The Access Gateway supports voice over IP softphones from Avaya, Nortel, and Cisco.
Editable HOSTS file. You can edit the HOSTS file on the Access Gateway from the user interface of the Administration Tool. The Access Gateway uses the HOSTS file in conjunction with DNS servers to force DNS resolution to translate host names to IP addresses.
Running logon scripts defined in the Microsoft Active Directory Group Policy. The Access Gateway supports the execution of Windows logon scripts defined in a Microsoft Active Directory Group Policy. Users must successfully authenticate with the Secure Access Client before the logon scripts can execute.
NTLM authentication and authorization support. If your environment includes Windows NT 4.0 domain controllers, the Access Gateway can
authenticate users against the user domain accounts maintained on the Windows NT server. The Access Gateway can also authorize users to access internal network resources based on a user’s group memberships on the Windows NT 4.0 domain controller.
Added challenge-response to RADIUS user authentication. The Access Gateway now supports challenge-response token authentication with new PIN and next token modes when RSA SecurID authentication is used with RADIUS. SafeWord PremierAccess changed to support standards-based RADIUS token user authentication. The proprietary PremierAccess configuration file has been removed and replaced using RADIUS server support. Legacy SafeWord PremierAccess realms are converted when the Access Gateway is upgraded to Version 4.5. SafeWord authentication is configured using RADIUS-style parameters.
Planning Your Deployment
This chapter discusses deployment scenarios for the Access Gateway. You can deploy the Access Gateway at the perimeter of your organization’s internal network (or intranet) to provide a secure single point-of-access to the servers, applications, and other network resources residing in the internal network. All remote users must connect to the Access Gateway before they can access any resources on the internal network.
This chapter includes these four sections: • Deploying the Access Gateway.
• Deploying the Access Gateway with Citrix Presentation Server. This section discusses deploying the Access Gateway with a server farm. You can deploy the Access Gateway in a single-hop DMZ configuration or a double-hop DMZ configuration.
• Deploying additional Access Gateway appliances to support load balancing and failover.
• Deploying the Access Gateway with Access Gateway Advanced Edition.
Deploying the Access Gateway
This section discusses the following Access Gateway deployments:
• Deploying the Access Gateway in the network demilitarized zone (DMZ) • Deploying the Access Gateway in a secure network that does not have a
DMZ
Access Gateway in the Network DMZ
Many organizations protect their internal network with a DMZ. A DMZ is a subnet that lies between an organization’s secure internal network and the Internet (or any external network). When the Access Gateway is deployed in the DMZ, users access it using the Secure Access Client, Citrix Presentation Server Clients or the kiosk client.
Access Gateway deployed in the DMZ
Installing the Access Gateway in the DMZ
In this configuration, you install the Access Gateway in the DMZ and configure it to connect to both the Internet and the internal network. Follow the instructions in “Installing the Access Gateway for the First Time” on page 37 to perform installation and configuration.
Access Gateway Connectivity in the DMZ
When you deploy the Access Gateway in the DMZ, client connections must traverse the first firewall to connect to the Access Gateway. By default, clients use Secure Sockets Layer (SSL) on port 443 to establish this connection. To support this connectivity, you must allow SSL on port 443 through the first firewall.
The Access Gateway decrypts the SSL connections from the client and
establishes a connection on behalf of the client to the network resources behind the second firewall. The ports that must be open through the second firewall are dependent on the network resources that you authorize external users to access. For example, if you authorize external users to access a Web server in the internal network, and this server listens for HTTP connections on port 80, you must allow HTTP on port 80 through the second firewall. The Access Gateway establishes the connection through the second firewall to the HTTP server on the internal network on behalf of the external clients.
The Access Gateway administrative tools available on the Access Gateway also listen for connections on these ports:
• Port 9001 - Connections to the Administration Portal occur on this port. • Port 9002 - Connections to the Administration Tool occur on this port.
Access Gateway in a Secure Network
You can install the Access Gateway in the secure network. In this scenario, there is typically one firewall between the Internet and the secure network. The Access Gateway resides inside the firewall to control access to the network resources.
Access Gateway deployed in a secure network
Access Gateway Connectivity in a Secure
Network
When an Access Gateway is deployed in the secure network, the Secure Access Client or kiosk client connections must traverse the firewall to connect to the Access Gateway. By default, both of these clients use the SSL protocol on port 443 to establish this connection. To support this connectivity, you must open port 443 on the firewall.
Security Considerations
When planning any type of Access Gateway deployment, there are basic security issues associated with certificates, authentication, and authorization that you should understand.
Configuring Secure Certificate Management
By default, the Access Gateway includes a self-signed SSL server certificate that enables it to complete SSL handshakes. Self-signed certificates are adequate for testing or sample deployments, but are not recommended for production environments.
Before you deploy the Access Gateway in a production environment, Citrix recommends that you request and receive a signed SSL server certificate from a known Certificate Authority and upload it to the Access Gateway.
If you deploy the Access Gateway in any environment where the Access Gateway must operate as the client in an SSL handshake (initiate encrypted connections with another server), you must also install a trusted root certificate on the Access Gateway. For more information about root certificates, see “Installing Root Certificates on the Access Gateway” on page 55.
For example, if you deploy the Access Gateway with Citrix Presentation Server and the Web Interface, you can encrypt connections from the Access Gateway to the Web Interface with SSL. In this configuration, you must install a trusted root certificate on the Access Gateway.
For more information, see “Creating and Installing Certificates” on page 51 and “Securing Connections with Digital Certificates” on page 253.
Authentication Support
You can configure the Access Gateway to authenticate users and control the level of access (or authorization) that users have to the network resources on the internal network.
Before deploying the Access Gateway, your network environment should have the corporate directories and authentication servers in place to support one of these authentication types:
• LDAP
• RADIUS
• RSA SecurID
• NTLM
• Secure Computing SafeWord products
If your environment supports none of the authentication types listed above, or you have a small population of remote users, you can create a list of local users on the Access Gateway and configure the Access Gateway to authenticate users against this local list. With this configuration, it is not necessary to maintain user accounts in a separate, external directory.
Deploying the Access Gateway with Citrix Presentation
Server
When deploying the Access Gateway to provide secure remote access to Citrix Presentation Server, the Access Gateway works with the Web Interface and the Secure Ticket Authority (STA) to provide access to published applications and resources hosted on a server farm.
This section covers the basic aspects of deploying the Access Gateway with a server farm. For a detailed discussion of this deployment, see “Providing Access to Published Applications” on page 167.
The configuration of your organization’s network determines where you deploy the Access Gateway when it operates with a server farm. There are two options: • If your organization protects the internal network with a single DMZ,
deploy the Access Gateway in the DMZ.
• If your organization protects the internal network using two DMZs , deploy one Access Gateway in each of the two network segments in a double-hop DMZ configuration. For more information about deploying the Access Gateway in a double-hop DMZ, see “Deploying the Access Gateway in a Double-Hop Demilitarized Zone” on page 193.
Deploying the Access Gateway in the DMZ with
Citrix Presentation Server
Deploying the Access Gateway in the DMZ is the most common configuration when the Access Gateway operates with a server farm.
Access Gateway and Web Interface deployed in the DMZ. Computers in the secure network are running Citrix Presentation Server.
When the Access Gateway is deployed in the DMZ to provide remote access to a server farm, these three possibilities exist:
Deploy the Web Interface behind the Access Gateway in the DMZ. In this configuration, both the Access Gateway and the Web Interface are deployed in the DMZ. The initial client connection goes to the Access Gateway and is then redirected to the Web Interface.
An example of this configuration is discussed in “Establishing a Secure Connection to the Server Farm” on page 30.
Deploy the Access Gateway parallel to the Web Interface in the DMZ. In this configuration, both the Access Gateway and the Web Interface are deployed in the DMZ, but the initial client connection goes to the Web Interface instead of the Access Gateway.
The Web Interface interacts with the Secure Ticket Authority (STA) and generates an ICA file to ensure the Presentation Server Client traffic is routed through the Access Gateway to a computer running Presentation Server in the server farm.
Deploy the Access Gateway in the DMZ and deploy the Web Interface in the internal network. In this configuration, user requests are authenticated by the Access Gateway before they are relayed to the Web Interface in the secure network. The Web Interface does not perform authentication, but interacts with the STA and generates an ICA file to ensure ICA traffic is routed through the Access Gateway to the server farm.
For detailed information, see “Providing Access to Published Applications” on page 167.
Establishing a Secure Connection to the Server Farm
This section provides one example of how an Access Gateway deployed in the DMZ works with the Web Interface to provide a secure, single point-of-access to published resources available on a secure enterprise network.
In this example, all of the following conditions exist:
• Clients from the Internet connect to the Access Gateway using Presentation Server Clients.
• The Web Interface resides behind the Access Gateway in the DMZ. Clients make the initial connection to the Access Gateway and the connection is passed to the Web Interface.
• The secure network contains a server farm. One server within this server farm runs the STA and one server within the server farm runs the Citrix XML Service.
The process by which clients access resources published by the server farm occurs as follows:
• A remote user types the address of the Access Gateway; for example, https://www.ag.wxyco.com, in the address field of a Web browser. The client attempts this SSL connection on port 443. Port 443 must be open through the firewall for this connection to succeed.
• The Access Gateway receives the connection request, but is configured to redirect the request to the Web Interface.
• The Web Interface sends a logon page to the client browser.
• The user submits authentication credentials. These credentials pass back through the Access Gateway to the Web Interface.
• The Web Interface sends the user credentials to the Citrix XML Service running in the server farm.
• The Web Interface populates a Web page with the list of published resources that the user is authorized to access and sends this Web page to the client.
• The user clicks a published application link. An HTTP request is sent to the Web Interface indicating the published application that was selected. • The Web Interface interacts with the XML Service and receives a ticket
indicating the server on which the published application will run.
• The Web Interface sends a session ticket request to the STA. This request specifies the IP address of the server on which the published application runs. The STA saves this IP address and sends the requested session ticket to the Web Interface.
• The Web Interface generates an ICA file containing the ticket issued by the STA and sends it to the client browser.
The ICA file generated by the Web Interface contains the Fully Qualified Domain Name (FQDN) or the Domain Name Server (DNS) name of the Access Gateway. Note that the IP address of the server running the requested application is never revealed to the client.
• The ICA file contains data instructing the Web browser to launch the Presentation Server Client. The client connects to the Access Gateway using the Access Gateway FQDN or DNS name in the ICA file. Initial SSL/ TLS handshaking occurs to establish the identity of the Access Gateway. • The Presentation Server Client sends the session ticket to the Access
Gateway and the Access Gateway contacts the STA for ticket validation. • The STA returns the IP address of the server on which the requested
application resides to the Access Gateway.
• The Access Gateway establishes a TCP connection to a computer running Presentation Server.
• The Access Gateway completes the connection handshake with the Presentation Server Client and indicates to the client that the connection is established with the server.
All further traffic between the client and the server is simply proxied through the Access Gateway.
Deploying the Access Gateway in a Double-Hop DMZ
Some organizations use three firewalls to protect their internal networks. The three firewalls divide the DMZ into two stages to provide an extra layer of security for the internal network. This network configuration is called a double-hop DMZ.
You can deploy the Access Gateway in a double-hop DMZ configuration to provide a single point-of-access to a server farm residing in an internal network. With this configuration, you must deploy two Access Gateway appliances: one in the first stage of the DMZ and one in the second stage of the DMZ.
Two Access Gateway appliances deployed in a double-hop DMZ
The figure above shows two Access Gateway appliances deployed in a double-hop DMZ to control access to a server farm.
In this deployment, the clients, the Access Gateway appliances, and the Web Interface perform these operations:
• Users from the Internet use a Web browser and Presentation Server Client to connect to the Access Gateway in the first DMZ.
• The Access Gateway in the first DMZ receives the client connections and redirects these connections to the Web Interface in the second DMZ. This
Access Gateway also handles connections from the clients that connect to the server farm on the internal network.
• The Web Interface performs various interactions with the Web browser clients and components of the server, including the XML Service and the Secure Ticket Authority (STA). These interactions provide a user with a list of published applications and enable the user to access a published
application by clicking a link in this list.
• The Access Gateway in the second DMZ acts as a proxy that enables ICA traffic to traverse the second DMZ and connect to the server farm in the internal network. The Access Gateway in the second DMZ also enables the Access Gateway in the first DMZ to communicate with the STA in the internal network.
For detailed information about these interactions and the configurations required to deploy two Access Gateway appliances in a double-hop DMZ configuration, see “Deploying the Access Gateway in a Double-Hop Demilitarized Zone” on page 193.
Deploying Additional Appliances for Load Balancing and
Failover
You can install multiple Access Gateway appliances into your environment for one or both of these reasons:
Scalability. If you have a large remote user population, install additional Access Gateway appliances to accommodate the user load.
High Availability. If an Access Gateway fails, you can install an additional Access Gateway to ensure that the internal network remains available to remote users.
Important The Web Interface must be installed parallel to the Access Gateway in the second DMZ.
Deploying Access Gateway Appliances behind a
Load Balancer
To support both scalability and high availability, you can install a load balancer and then install multiple Access Gateway appliances behind the load balancer. Deploying multiple appliances behind a load balancer enables you to support a large population of remote users and maintain high availability of the internal network to the users.
Multiple Access Gateway appliances deployed behind a load balancer
For detailed information about deploying multiple Access Gateway appliances behind a load balancer, see “Installing Additional Access Gateway Appliances” on page 235.
Deploying Access Gateway Advanced Edition
If you purchased the Access Gateway Advanced Edition, you must configure the Access Gateway to communicate with the Advanced Access Control software. Use the Administration Tool to switch the Access Gateway to use Advanced Access Control that is then used to manage settings for the gateway cluster(s). After you configure Advanced Access Control, use the Administration Tool to manage appliance-specific settings only.
To enable Advanced Access Control
1. On the Access Gateway Cluster tab, select an Access Gateway and click the Advanced Options tab.
2. Select Advanced Access Control.
3. In Server running Advanced Access Control, type the IP address or FQDN of the server that is running the Access Management Console. 4. To encrypt communication between the Access Gateway and the server
running Advanced Access Control, select Secure server communication. 5. Click Submit.
The server or servers that are configured to connect to the Access Gateway appear in Servers Running Advanced Access Control. To remove a server from the list, select the server and then click Remove.
Caution When you select the Advanced Access Control for managing the Access Gateway, the corresponding settings in the Administration Tool are deactivated. If you configured these settings with the Administration Tool before selecting Advanced Access Control, you must configure these settings again using the Access Management Console. For more information about configuring these settings in the console, see the Citrix Access Gateway Advanced Edition Administrator’s Guide.
If you disable administration with the Advanced Access Control, settings in the Access Management Console are deactivated and existing configuration values are removed. Settings that were previously configured on the Access Gateway are restored.
Multiple Servers in an Access Server Farm
If the Access Gateway is configured to establish connections with multiple servers running Access Gateway Advanced Edition, the servers are checked to make sure they are active before the Access Gateway sends a request to them. If the Access Gateway detects that one server is not active, it can check at a specified interval to see if the server is back online. You can specify the interval period, in seconds, when the Access Gateway checks the server. The minimum amount of time that can be set is 60 seconds.
To specify the retry interval for a server running Advanced Access Control
1. Click the Access Gateway Cluster tab and then click the Advanced Options tab.
Installing the Access Gateway for
the First Time
The Access Gateway installs in any network infrastructure without requiring changes to the existing hardware or back-end software. It works with other networking products such as server load balancers, cache engines, firewalls, routers, and IEEE 802.11 wireless devices.
Citrix recommends installing the Access Gateway in the corporate demilitarized zone (DMZ). When installed in the DMZ, the Access Gateway participates on two networks: a private network and a public network with a publicly routable IP address. Typically, the private network is the corporate network and the public one is the Internet. You can also use the Access Gateway to partition local area networks internally in the organization for access control and security. You can create partitions between wired or wireless networks and data and voice networks.
Getting Ready to Install the Access Gateway
To install the Access Gateway, verify that the contents of the box match the packing list. If an item on the packing list is missing from the box, contact Citrix Customer Care.
If you are installing the Access Gateway in a rack, see Getting Started with Citrix Access Gateway Standard Edition for instructions.
Materials and Information Needed for Installation
Before installing the Access Gateway, collect materials for the initial configuration and for the connection to your network.
For initial configuration, use one of the following setups: • A cross-over cable and a Windows computer
For a connection to a local area network, use the following items:
• One network cable to connect the Access Gateway inside of a firewall or to a server load balancer
• Two network cables to connect the Access Gateway located in the demilitarized zone (DMZ) to the Internet and private networks Citrix recommends that you use the Access Gateway Standard Edition Pre-Installation Checklist to collect the following network information for appliances:
• The Access Gateway internal IP address and subnet mask • The Access Gateway external IP address and subnet mask
• The Access Gateway FQDN for network address translation (NAT) • The IP address of the default gateway device
• The port to be used for connections
If connecting the Access Gateway to a server load balancer: • The Access Gateway IP address and subnet mask.
• The settings of the server load balancer as the default gateway device (if required). See the load balancer manufacturer’s documentation for more information.
• The FQDN of the server load balancer to be used as the external public address of the Access Gateway.
• The port to be used for connections.
Setting Up the Access Gateway Hardware
This section provides procedures for setting up the Access Gateway for the first time.
To physically connect the Access Gateway
1. Install the Access Gateway in a rack if it is rack-mounted.
For more information about installing the Access Gateway in a rack, see Getting Started with Citrix Access Gateway Standard Edition.
2. Connect the power cord to the AC power receptacle.
3. Connect either the serial cable to a Windows computer, a cross-over cable to a Windows computer, or an RJ-45 network cable to a network switch and the Access Gateway.
4. Configure the TCP/IP settings using the instructions in “Configuring TCP/ IP Settings for the Access Gateway” on page 39.
Access Gateway connection options using a cross-over cable, a network switch, or terminal emulation
Configuring TCP/IP Settings for the Access Gateway
The preconfigured IP address of the Access Gateway is 10.20.30.40. The IP address can be changed using a serial cable and a terminal emulation program, or by connecting the Access Gateway using network cables and the Administration Tool.
Configuring TCP/IP Settings Using the Serial
Console
The serial console provides the following options for configuring the Access Gateway:
• [0] Express Setup configures the TCP/IP settings for Interface 0 on the Access Gateway Cluster > General Networking tab
• [1] Ping is used to ping other network devices to check for connectivity • [2] Link Modes is used to set the duplex mode and speed mode for
Interface 0 on the Access Gateway Cluster > General Networking tab • [3] External Administration Port enables or disables connections to the
Administration Tool from a remote computer • [4] Display Log displays the Access Gateway log
• [5] Reset Certificate resets the certificate to the default certificate that comes with the Access Gateway
• [6] Change Administrative Password allows you to change the default administrator password of rootadmin
• [7] Help displays help information
• [8] Log Out logs off from the Access Gateway
To configure TCP/IP settings using a serial cable
1. Connect the serial cable to the 9-pin serial port on the Access Gateway and connect the cable to a computer that is capable of running terminal
emulation software.
Important Citrix recommends changing the administrator password before connecting the Access Gateway to your network. The new password can be six to 127 characters long and cannot begin or end with a space.
2. On the computer, start a terminal emulation application such as HyperTerminal.
3. Set the serial connection to 9600 bits per second, 8 data bits, no parity, 1 stop bit. Hardware flow control is optional.
4. Turn on the Access Gateway. The serial console appears on the computer terminal after about three minutes.
5. If using HyperTerminal, press the Enter key.
6. On the serial console, enter the default administrator credentials. The user name is root and the password is rootadmin.
7. To set the IP address and subnet mask and the default gateway device for Interface 0, type 0 and press Enter to choose Express Setup. After you respond to the prompts, the information you entered appears. To commit your changes, type y; the Access Gateway restarts.
8. To verify that the Access Gateway can ping a connected network device, type 1 and enter the IP address of the device.
9. Remove the serial cable and connect the Access Gateway using either a cross-over cable to a Windows computer or a network cable to a network switch and then turn on the Access Gateway.
Additional Access Gateway settings are configured using the Administration Tool.
Configuring TCP/IP Settings Using Network
Cables
The Access Gateway has two network adapters installed. One network adapter communicates with the Internet and client computers that are not inside the corporate network. The other network adapter communicates with the internal network.
Note HyperTerminal is not automatically installed on Windows 2000 Server or Windows Server 2003. To install HyperTerminal, use Add/Remove Programs in the Control Panel.
Citrix recommends that both network adapters be configured for maximum security. If only one network adapter is used, it has to be routable for internal resources using Network Address Translation (NAT). Also, if only one network adapter is used, throughput of network traffic is cut in half and can cause a bottleneck of network traffic.
You can install the Access Gateway and configure TCP/IP settings using network cables, such as two RJ-45 network cables, or cross-over cables. The RJ-45 cables are connected to a network switch and to the Access Gateway. The cross-over cables are connected to a Windows computer and the Access Gateway.
To configure TCP/IP settings using network cables
1. Power on the Access Gateway.
After about three minutes, the Access Gateway is ready for its initial configuration with your network.
2. Open a Web browser and type https://10.20.30.40:9001 to open the Administration Portal. Use the default user name and password of root and rootadmin.
3. On the Downloads tab, under Access Gateway Administration Tool, click Install the Access Gateway Administration Tool.
Follow the prompts to complete installation.
4. Log on to the Administration Tool using the default user name and password.
5. On the Access Gateway Cluster tab, open the window for the Access Gateway.
6. On the General Networking tab, under Interface 0 and Interface 1, next to IP Address, type the new IP addresses of the appliance.
Citrix recommends selecting Use both interfaces.
7. In Subnet mask, enter the subnet mask that is appropriate for the IP address entered for the interface(s).
8. In External FQDN, type the fully qualified domain name.
9. In Duplex Mode select the direction of the transmission data.
The default setting is auto. You can also select full duplex or half duplex. 10. In Speed Mode select the network speed of the adapter.
The default setting is auto. You can also select 10Mbps, 100Mbps, or 1000Mbps.
11. In Maximum Transmission Unit (MTU), select the maximum
transmission unit that defines the maximum size of the transmitted packet. The default setting is 1500.
12. In Port, select the incoming port that is used for connections. The default is 443.
13. To configure a default gateway, in IP address, type the IP address of the gateway. In Interface, select the network adapter on the Access Gateway with which the Default Gateway communicates.
The IP address is the default gateway device, such as the main router, firewall, or server load balancers, depending on your network
configuration. This should be the same as the Default Gateway setting that is on computers on the same subnet.
For information about the relationship between the Default Gateway and dynamic or static routing, see “Configuring Additional Network Settings” on page 57.
After you configure your network settings on the Access Gateway, you need to restart the appliance.
Redirecting Connections on Port 80 to a Secure Port
By default, the Access Gateway does not accept unsecure connections on port 80. If a user attempts to connect to the Access Gateway using HTTP on port 80, the connection attempt fails.
You can configure the Access Gateway to automatically redirect HTTP connection attempts on port 80 to be secure connections on port 443 (or other secure port).
If a user attempts an unsecure connection on port 80, the Access Gateway automatically converts this connection attempt into a secure (SSL-encrypted) connection on port 443.
To redirect unsecure connections
1. Click the Access Gateway Cluster tab and open the window for the Access Gateway.
2. Click the General Networking tab. 3. Click the Advanced button.
4. Click Redirect any requests for port 80 to a secure port. 5. Click OK.
Configuring TCP/IP Settings for a Double-Hop
Deployment
The Access Gateway can be installed in a double-hop DMZ scenario to provide access to a server farm. For more information about this deployment, see “Deploying the Access Gateway in a Double-Hop Demilitarized Zone” on page 193.
Restarting the Access Gateway
After configuring your network settings, restart the Access Gateway.
To restart the Access Gateway
1. In the Administration Tool, click the Access Gateway Cluster tab and open the window for the Access Gateway.
2. On the Administration tab, next to Restart the appliance, click Restart.
-or-Click the Action menu and click Restart appliance name, where appliance name is the name of the Access Gateway.
You can also restart the Access Gateway from the Administration Portal.
To restart the Access Gateway from the Administration Portal
In the Administration Portal, click Maintenance. Next to Restart the Server, click Restart.
Configuring the Access Gateway for
Your Network Environment
After the initial TCP/IP settings are configured on the Access Gateway, you then need to configure the appliance for your network environment. The steps for additional configuration of the Access Gateway are:
• Installing Licenses
• Creating and Installing Certificates • Configuring Additional Network Settings
• Configuring the Date and Time on the Access Gateway • Using the Default Portal Page
Installing Licenses
The Access Gateway licensing limits the number of concurrent user sessions to the number of licenses purchased. If you purchase 100 licenses, you can have 100 concurrent sessions at any time. When a user ends a session, that license is released for the next user. A user who logs on to the Access Gateway from more than one computer occupies a license for each session.
If all licenses are occupied, no additional connections can be opened until a user ends a session or the administrator uses the Real-Time Monitor to close a connection, thereby releasing a license. For information about using the Real-Time Monitor to close connections, see “Configuring User Connections for Secure Access Client” on page 121.
If you have multiple appliances in your network, one Access Gateway is the licensing server, allocating licenses to the other appliances. When a user logs on to another appliance on the network, the license is pulled from the Access Gateway that is the licensing server. If you have a cluster, the installed licenses are not published to the other appliances. For more information about using licenses with multiple appliances, see “Configuring Licenses for Multiple Appliances” on page 48.
If you are using Access Gateway Advanced Edition, licensing functionality is handled by the Citrix License Server. For more information about licensing with Access Gateway Advanced Edition, see the Citrix Access Suite Licensing Guide and the Access Gateway Advanced Edition Administrator’s Guide.
Obtaining Your License Files
After you install the Access Gateway, you are ready to obtain your license files from Citrix. This process involves going to http://www.mycitrix.com/ to access your available licenses and generating a license file. When the license file is generated, download it to the computer where the Administration Tool is installed. After the license file is on the computer, you can then upload it to the Access Gateway.
Before going to the Citrix Web site, you need the following information:
The license code. You can find the code on the Access Gateway CD, in an email you receive from Citrix, or from the Subscription Advantage Management-Renewal-Information system (SAMRI).
Your user ID and password for MyCitrix. You can register for this password on MyCitrix.
The FQDN of the Access Gateway. The entry field for this name on MyCitrix is case-sensitive so ensure that you copy the FQDN exactly as it appears on the Access Gateway Cluster > General Networking tab.
Important The host name in the license file must match exactly the host name on the Access Gateway, including letter case.
How many licenses you want to include in the license file. You do not have to download all of the licenses you are entitled to at once. For example, if your company purchases 100 licenses, you can choose to download 50. At a later date, you can allocate the rest in another license file. Multiple license files can be installed on the Access Gateway.
To obtain your license file
1. From a Web browser, go to http://www.mycitrix.com/. 2. Enter your user name and password.
If this is the first time you are logging on to the site, you are asked for additional background information.
3. Select Licensing > Citrix Activation System > Activate or Allocate Licenses.
4. Follow the process to obtain your license file.
After you successfully download the license file to your computer, you can then install it on the Access Gateway.
To install a license on the Access Gateway
1. On the Access Gateway Cluster tab, open the window for the Access Gateway.
2. Click the Licensing tab.
3. Select Use this appliance as the license server.
4. Next to Install a license file, click Browse and navigate to the license file, and then click Open.
5. Click Submit after the license file is uploaded to the Access Gateway.