Citrix Secure Gateway with Citrix XenDesktop 5

Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month.

Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virtual machines, first thing was to learn the new concepts in XD5 to understand their relationship to XD4. I then began to deploy the required components and got it up and running internally however my main issue to tackle was providing external access which proved a hassle. The following is what I did to successfully implement external access.

Citrix Secure Gateway

Ok there are different ways of implementing external access notably for one of our clients we used NATing to achieve this, this is not the most ideal way as it required a lot of configuration and generally is more time consuming, find out how to do this here

NATing option basically maps the internal IP of the XD server to an external IP, the problem arises when launching an ICA session as it has to map to an internal virtual desktop which obviously does not carry a public IP.  This is overcome by using port forwarding to the internal IP of the desired desktop; port forwarding is done for all virtual machines and thus is not the best way to implement external access for a large environment. This is where CSG (Citrix Secure Gateway) comes into play.

Citrix have the Access Gateway appliance which is a hardware version of CSG this of course is the preferred way to implement external secure access however in my scenario I am running XD in a small environment and thus it would not be feasible to invest in this appliance.

Step 1 - Obtaining a third part SSL Certificate

Ok from reading around I learnt that an SSL certificate was required to implement CSG initially I thought that these were paid for certificates however with some searching I came across Once registering with them one is able to generate a free SSL certificate which can be used in conjunction with the given domain name. Following are steps to generate a SSL cert

1) Set up the chosen domain name (
2) In startSSL control panel, validate domain name
3) Email is sent to postmaster of the domain and with activation code in email one can validate the domain
4) Generate certificate request in IIS manager on the given server
5) In startSSL control panel use the wizard to generate a certificate and in there paste the code outputted from the request in step 4
6) startSSL will then output certificate code which is saved as a .pkt file.
7) Certificate is now ready to be used for secure access time for configuring SSL.

Step 2 - Trying to implement CSG on the Controller server along with Web Interface

This proved to be a big hassle mainly because I have to configure CSG to use port 443 as it will manage https:// traffic I could not get it to use port 443 as the configuration stage kept complaining it was in use by another process.

I investigated this further and ran the command netstat -am to show all the processes and what ports were being listened to on the server. In the end using the PID ID I managed to identify the NT Kernel and System process was using port 443. I searched Google frantically and even went on the forums to ask around but no one seemed to be able to help me many assumed that IIS (Internet Information Services) was using this port. I then attempted to use port 444 for CSG but it I could still not get it to direct to the login page and also I did not want users to enter :444 in the address.

Step 3 - Created a new server for Web Interface and CSG

Since port 443 was in use and since I did not know for the love of me what was using it I decided to simply copy my existing VM server and then sysprep the copied server to use as a dedicated web server for XenDesktop.  I read somewhere on Citrix forums that a user uninstalled the DDC and port 443 was free so I assumed that since DDC would not be on the server the port would be free and as I suspected the port was free.

I then configured CSG to use port 443 and in WI console reconfigured the XenDesktop site secure access to use gateway direct on port 443. I also changed XML settings to point to the controller sever so that WI can initiate an ICA connection. I'll summarise things to remember in bullet points below

    * CSG act as DMZ and manages connections between virtual desktops and external world
    * Secure Ticket Authority is the server that holds the controller
    * IIS must not be configured to use port 443, use port 444 if binding with https
    * You can use IIS default site and no need to create a new site in IIS
    * PNAgent site is the site used by idevices (i.e., ipod, ipad) - make sure to configure using gateway direct
    * SSL Cert must be installed on the controller server and WI/CSG server
    * CSG manages ICA connections

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.