Configuring Citrix Secure Gateway / Web Interface for Inside and Outside Users on PS4

Hi CarlWebster

Thanks for this.

I think you did a greate job by publishing this detail article, i am sure this will really help all IT folks out there in the world trying to configure secure gateway access. Thanks again.

Now, It look like probably i will uninstall my existing web interface, secure gateway, certificate and will follow your article from scratch, however before that i would like to take your advice on below:

Presently I have Citrix Presentation Server 4.0 farm of 25 servers running in production, since we are fully licensed to download and install new Xenapp (confusing terms -:) ). I had downloaded latest web interface 5.1 from citrix website and installed on my Web interface server, bearing in mind i am still running PS4.0 in the citrix farm where all my published apps are hosted.
And as far as secure gateway is concerned, instead of downloading latest version i had installed SG 3.0.1 from my PS4.0 component CD on the same server, probably that's why things are not working because i have all mixed of old and new version. I have Web Interface 5.1 and SG 3.0.1 on the same server and STA and Citrix Farm is running on PS4.0 whats your comments on this kind of setup?

Secondly, After reading your article i wanted to build web interface and SG on a clean server and follow your instructions, now my question will there be any problem using Web Interface 4.6 and SG 3.1 communicating with PS4.0 citrix farm or should i first upgrade my whole citrix farm of 25 server to Xenapp servers which is hell of job. Or new Xenapp plugin and SG 3.1 are compatible with PS4.0 and they should work together without any problem? what you recomend?
Thanks

Web Interface 5.1.1 is VERY different from Web Interface 4.x.  I would stay away from it right now.

Web Interface 4.6 and CSG 3.1 will work just fine with PS4.0.

I haven't had ANY issues on any Citrix farm upgrading servers from 4.0 to 4.5.

Upgrae your data collector first, then farm metric servers (if any), then database connection server (if any) and then the rest of the servers.

Backup your data store first.

I just put together a new WI 5/CSG box using the CSG version on the XenApp 5 disk, it went just like any other site I put together.  If you want to try the latest stuff just follow CarlWebster's walkthrough but use the newer versions.  There is that frightening thing about being on the bleeding edge though.  The 4.5 version is more seasoned.  

I am also redoing the 3 part series for WI5.1.1/CSG3.1 on server 2008.  But I am going to AR to see my new grandbaby this weekend so the next 3 parter will have to wait until next week.

well said! so for the moment i will just install WI 4.6 and SG 3.1 to work with my PS4.0

In order to upgrade as you suggested, is that mean that eventually i then will have to upgrade or install Xenapp on all 25 servers? I was thinking that i might have to just upgrade only one or two servers in my farm like data collector etc.. and my farm will be upgraded?

Another thing: because i will not be using GoDaddy for CA so is it ok if i install Microsoft Certificate Server in my network and use it to issue the certificate for SG and follow reset of your article to install certificate but only skip GoDaddy section of your article?

Thanks

Using your own CA should be fine as long as you want to do the work of loading the client half everywhere.  Your WI/CSG version can be different than your App server version.  A WI 5 works fine with PS4.5.  I would get off of PS4 though, it is EOL, EOM at the end of the year: http://www.citrix.com/site/SS/supportThird.asp?slID=5107&tlID=5110

When you install the first 4.5 server your data store and data collector are automatically upgraded.  Your farm is now in mixed mode and Citrix only recommends running in mixed mode for brief periods of time while you upgrade the rest of the servers.  The danger is that once you introduce a 4.5 server, ALL farm mgmt MUST be done from the 4.5 server.  If you then attempt to use a 4.0 server for farm mgmt you run the risk of corrupting your data store and destroying your farm!!!

Yes, you can use your own MS Cert Srvr with no issues in place of the GD instructions.  Are the certs you generate from your MS Cert Srvr trusted on the Internet?

Thanks BLipman and Carl, I will probably first give it a go with WI 4.6 and SG 3.1 as per Carl article just to minimize the chance of being unfortunate for another time :)

Carl, I don't think so that our Cert Svr are trusted on internet as i will just install MS Cert Srv and will generate certificate, just to let you i don't know anything about certs how they works! all i wanted that my SG to work.

So here is something that may make your life easier if you aren't very comfortable with manually managing certificates.  The $30/year cert you can buy from GoDaddy will work with 99% of all browsers without you needing to do anything extra.  It is a small cost for ease of use and nearly universal acceptance.  When you do your Trusted Root Certificate updates in Windows you are preloading all of these commercial shared keys so people like Thawte, Verisign, and even GoDaddy are already functional in your browser.  

I didn't know if you had other reasons but it is a small cost savings to avoid the pain of cert management.  Now if you had all internal users, had an enterprise CA that autoenrolled your users...or even if you were just testing or rolling something small out, I would say doing your own CA is worthwhile.  Managing a CA properly will cost you more than $30/year in man hours though.  Just my thoughts.  

Only our company user's will be accessing our citrix farm via SG from outiside so i think we don't need to purcahse certificate from third party as this is not for public use.

I still use a public cert because I am lazy and $30 is cheaper than having my desktop guy take support calls on old certificates.  Using your own will work fine though.  If you want to make it even easier you can alter your WI site to give users links to your p7b and a PDF for loading certs.  You can do all sorts of customization to the site.  Do a web search on 'branding the citrix web interface' and you will get all sorts of info.  

Good luck!

Hi Carl/BLipman

Other thing i was going to ask that i have not got access of my external DNS authority so when i do my test as outside users accessing citrix gateway i just type public IP address of my firewall which obiously NAT to my SG machine. so my question is that is it OK i mean should i work using IP address in the browser rathar than type FQDN name of my domain as i have not added host record in my external DNS. I asked this becasue i have seen in the Carl article saying something about adding host record in the local host file on web interface server and pointing to FQDN which outside users will be typing. So before i modify DNS, is it ok if i do my test and get it working using public IP and then once happy then i add entry in my external DNS. OR do i have to first add record in my external DNS. thanks

accessing the public IP directly is fine, BUT the SSL cert will complain that the IP doesn't match the FQDN assigned to the cert.  You can ignore that msg and continue on.

Hi Carl

I have followed your article but unfortunately i am still having problem. Internally things works just fine but out from outside i get error "SSL relay can't resolve name"

Let me just tell you something about my setup:

In my gateway address FQDN setting in web interface i have mentioned netbios FQDN name of my windows domain which is only accessable from inside as my DMZ machine is a domain member. Could this be the reason of not working? Because i have used my internal netbios FQDN windows domain name while registering certificate. so my certificate common name was my windows domain name.

And I have also tried putting my public IP address into the gateway address but then i get some certificate error. Also i have not assign or added host record for my public IP address which my outside user should use because at the moment i don't have access of my external DNS.

please tell me something what i am doing wrong.

Thanks


Let

Your SSL certificate name should be the name people will use to connect to the Citrix Secure Gateway.  For me, this is citrix.websterslab.com even though the NetBIOS name is CitrixWI.citrixlab.local.

People use their Internet browser to go to https://citrix.websterslab.com.  citrix.websterslab.com resolves, right now, to 68.119.110.135.  In my firewall/router I redirect all TCP port 443 traffic to the internal IP address of CitrixWI which is 192.168.1.105.

Users hit https://citrix.websterslab.com which goes to 68.119.110.135:443 which goes to 192.168.1.105.  If there are no certificate errors the web interface site shows up in their browser.  The web interface then uses the XML Broker to authenticate the user's log on credentials using ctxgina.dll.  If the creds are accepted then the XML Broker contacts the Zone Data Collector which uses its dynamic store to determine 1 of 3 things:

does the user have a connected session on a server - if so, connect to that server
does the user have a disconnected session on a server - if so, connect to that server
If the user has no connected or disconnected session, then look in the dynamic store to find the "least busy server" and connect the user to that server

OK, so is this mean that i must have to have valid internet domain name mapped to my public IP address in the public DNS in order to setup SSL certificate, because i have not amended my public DNS yet so i am just using https://194.75.137.x in my browser to test SG from outside and according to you that is not going to work then until i have FQDN name for above IP address?

I type https://194.75.137.x in my browser from outside and i get the logon page and i can logon successfully and able to see all my published applications but when i click any of the app it give error message.

I am thinking to gain access of my public DNS and add host record for my public IP address like
citrix.mypublicdomain.com ----> 194.75.137.x
and then resetup my certificate and then see if it make any difference. whats your comments?
Thanks

You can use the public IP and just ignore the certificate error.

Did you make the changes to the DMZ settings in the Access Mgmt Console?  i.e. Gateway Direct

yes i am using "Gateway Direct"

After responding to certificate error message to 'OK' it does not do anything. Becaue i get error when i click on published application and whilst it goes to connecting and on that connecting screen it stary for 5 seconds and then gives me error. I can't ignore error.

do you mean that it is ok to put public IP address under the gateway FQDN address?

Also i have attached the error message for you.

Thanks

any more comments or idea are welcome ? Thanks

sorry trying to meet a delivery deadline for a huge Citrix project for a customer out west.  Be patient.

sure thats fine. probably someone else should pick up this.

I was hoping BLipman or mgcIT would chime in.

Hello there,
here is a list of common SSL Errors: http://support.citrix.com/article/CTX711855

Where are you trying this from?  I would suggest starting from the Secure Gateway box and working out.  You say it works internally right?  Test in this order: from the CSG box, then from the LAN, then from the Internet.  Are you using the FQDN when you are testing or just the IP?  
Next, right click on an application from the Internet (assuming you have it working from the box and the LAN already).  Choose Save As, save the Launch.ica file to your desktop, and open it with Notepad.  Please post the contents, this helps a ton.  

ok i have requested attention for this message. thanks

Carl, by the way just to let you know i am going to trash the existing machine and setting up a new machine in DMZ without making a domain memeber and redoing all the setups. This will be my third attempt. I hope and pray it work this time. Thanks

Don't get frustrated, CSG+WI isn't always the most intuitive setup; it sill takes me a few tries at getting the config just right.  

BTW, can you reply to my last post?  Otherwise I will just let Carl work this thread with you.  

Ben

The WI SG settings must be configured to point to the exact same name as is in your SSL certificate.

http://forums.citrix.com/message.jspa?messageID=442145

Can you verify that is the case?

Hi Ben,

sorry for late reply, when i try from gateway machine it does not work but from internal LAN it work.

Just to tell you that i use Windows Netbios FQDN when i try from LAN, and i use external IP address when i try from internet. The reason i use IP address from internet because i have no host record added in my public DNS for citrix gateway FQDN, is it needed to get it working or is it ok to try with IP address from outside.

Anyway, i have now trashed the whole machine and i am building a new gateway server, once i have built in a day i will then send you launch.ica.txt

Thanks

It is supposed to work from the gateway computer.  Are you installing both web interface AND secure gateway on the same computer?  If so, then it MUST work from the gateway computer.

yes it is the same server, things works fine until i configure certificate and install secure gatway, remeber i have also installed Ms certificate service which i use to issue the certificate although it is not trusted on internet but it support to work. This whole setup made me mad, but i am not going to give up, even if i have to reinstall ten times.

It sounds like you almost have it.  For CSG I have always had the best luck using the SSL FQDN everywhere; at least for initial testing, then you can play around with the IP or a local netbios name.  

Here is the way to get around your external DNS issue though:
configure a host record on an external machine to resolve the SSL FQDN to your external IP.  Do the same from your CSG box if you must but you should be able to do this via you internal DNS unless the box goes straight to the Internet for DNS.  If that is the case then you have other issues because, like CarlWebster said, your WI and CSG must talk to eachother with FQDNs.  

What may work is one thing but you want to test with the lease amount of variables and then make it more complex as you succeed.  

Don't give you, you are gaining valuble experience with troubleshooting and building these systems!  

Please define what does it mean when you say SSL FQDN? Is this the domain name which can resolve over the internet e.g. Citrix.MyPublicDomain.com OR is this local windows domain e.g. hostname.mywindowsdomain.local?

what do you mean by external machine?

it sounds like i must need to have a host record in my external DNS to get it working?

The SSL FQDN is whatever common name you have in your certificate.  For example, I may have a server called ctx1.mydomain.ad with an internal IP of 192.168.1.2 and an external IP of 1.2.3.4 but my external DNS name is applications.mycompany.com which resolves to 1.2.3.4.  You should do all of your testing and setup with "applications.mycompany.com", not the IP or the internal FQDN (ctx1.mydomain.ad).  

...but what about when you have no control of external DNS or need to do this as a one-off for testing?  Well, we hack your hosts file.  Put a machine on the Internet outside of your company network (you can dial up a Cell modem, remote into a home machine, steal your neighbor's WiFi...whatever).  This machine won't be able to resolve applications.mycompany.com though because you don't have an A record in your external DNS.  So, navigate here: C:\Windows\System32\drivers\etc, open the "hosts" file with notepad and add a line right below the "localhost" line...just like this.  

127.0.0.1       localhost
1.2.3.4           applications.mycompany.com

close this file, go to the command prompt, do a
nbtstat -R  
(must be capital R), this will reload your name cache and preload any manual hosts entries.  Now ping your external (SSL) FQDN and it should resolve.  This will now allow you to use the right IP/FQDN combination whereever you are testing from.  

Once you are successful, you can try it out with other combinations like IP address and whatnot.  

You mean, just like I showed in my article? :)

Thanks for explaining Ben.

So its mean that common name in my certificate should only be "applications.mycompany.com". right?

second thing you said that if i have no control on external DNS, well at the moment yes this is the case but i am trying my best to add a host record to my external DNS until then i can do the way around you suggested and as per in Carl's article :) but i am confused that by adding a line of public IP in an internet machine how this public FQDN "applications.mydomain.com" will advertise on internet and how any other machine on a different planet will able to resolve this?

They won't resolve this, it will only help you determine if everything is going to work once you get your external DNS entry in place.  Then, once you have confirmed this, you can test via IP and see if it works that way as well.  You always want to test with fewer variables and then add them in.  Start with the most likely to work and go out from there.  

The common name in your cert is arbitrary, it can be BobPeteSam.123.org if you own the 123.org namespace.  In your certificate you should see no http:// stuff though, it should be a "host.WhateverYourDomainIs.whatever".

Sorry Carl, I didn't read the article but it sounds like you have a pretty complete walkthrough there.  

Ben and Carl, you both been very helpful. I will give it another go and will let you know the outcome. Thanks

Hello Ben and Carl,

Finally i managed to get SG working from internal and external. I added an entry into my public DNS and then re-installed everything from clean and things just worked at the first time.

It is now working with using either IP and FQDN from outside.

However one thing i need to ask infact a problem: Because i use certificate generated by own private CA. so when i goto any computer on the internet (outside world) and logon to my citrix web SG, i can see my published app but when i click to open any published app i get an error "Error SSL 61: You have not chosen to trust the issuer of the server's... "  and when i install certificate on that machine then it work awsome. so is that mean i have to install that certificate to all of my remote user's pc's in order to work from outside.

Like i give you example, i went to my friend's home today and goto my web citrix SG URL and when i clicked on published app i get above SSL error, so because i have taken certificate.p7b file in my usb so i then installed on his machine and then all worked awsome.

so please suggest how do i get rid of this issue now.

Thanks

A way to get rid of the issue is to buy a $30 GoDaddy SSL cert and use it instead of your self-signed and self-generated cert.

If you insist on wasting your valuable time with your own cert, then you will need to provide each person with a copy of the file that you had to use at your friend's place.

yes you are rite, i will try to convince my manager to buy SSL cert. Thanks

Just another last thing, sorry to be a pain. But i want to redirect http:// to https:// as the moment it let me to go to http and https but i want that when users go to http:// it autmatically redirect to https://
Is there any easy way for this?

Thanks again

There are two ways I typically do this, each with their own reasons.  The one I normally suggest is this:

go into IIS and check "require SSL", now people will get a 403-4 error when they use http://
now, go into IIS and point this to a custom error message.  I normally just edit the default 403-4.html file and call it 403-4-redirect.html.  You just need to add a meta refresh tag in the <head> section of the file pointing to https://MyCitrixSite.whatever...

can you please tell me the exact code i need to put into 403-4.html as i dont have scripting skills. thanks

I tried to create a asp file (SSLRedirect.asp) on web root with the following code and replaced the 403.4 custom error to URL to /SSRedirect.asp and then enabled "SSL required check" but it seems that the IIS on my citrix gateway server not happy to run .asp files. Do you have any suggession?
<%
Data = request.servervariables(QUERY_STRING)
URL = replace(Data, 403;, )
URL = replace(URL, http://, https://)
response.Status = 200 OK
response.redirect URL
%>

use HTML, not ASP.

can i put the same above code in the html file? will it work? i will give it a go.

Hi Carl/Ben

I had debate with my manager when i told him that we have to buy a certificate for citrix gateway. This is not about the cost but he does not think that it is needed. He thinks it will work with my own generated certificate because it is just for making internet user feel that they will be connected through the secure channel. Because we already have our webmail working with the same way where he did not had to buy citrix so he is related the same with citrix gateway as well.

As you know in my curent scnerio if a person connecting to gatreway from internet he has to install certifucate on his machine otherwise he will get certifucate error and as you suggested that to resolve this issue i have to buy certificate from trusted root e.g. godaay or versign etc..

please clearify.

thanks

he is arguing me, please explain?

Carl, i respect what you saying as i said that this is not about cost. We are happy to spend $30 but i was looking to find some technical answer from your side rather than suggesting the same things. Technical answer mean "Privately generated cert Vs buying cert for secure gateway"?

Anyway, thanks for your help. I will close this case now.