Secure Gateway, Certificate Services CA Root, and Web Interface on the same box

Posted on 2006-04-11
Last Modified: 2012-08-14
Okay....this is what I have done.

I have one Citrix server in our DMZ with the following.

Certificate Services installed - acting as a Standalone Root CA
This server only has one nic in it.
The web interface is also installed on this machine, along with Secure Gateway.
It has one public IP address natted to its internal, with port 443 (ssl) opened up on the firewall.
I have installed a certificate for the default web site to use, and using port 443.

I know this is not an ideal setup, as EVERYTHING is basically on the same box.........Secure Gateway and the WI.

In this configuration:

How can I get external clients to connect through https to the secure gateway and then route that through to the web interface?
In this configuration, do I have to open up more than port 443, or have multiple IP addresses assigned to this machine, and have the web interface on one ip on port 443, and the secure gateway on another ip on port 443?

Basically Im trying to do the following:

external clients connect by connecting to the web interface https://<fqdn>
then somehow secure gateway does its thing.

Both the WI and CSG are on the same box, and Im not sure how to get BOTH working as both are trying to use port 443.

At the moment, I can connect through to the web interface externally on https:<fqdn> (port443), but as soon as I try and configure the CSG (which also tries to use the same port), it keels over.

The options in the CSG tool are as follows:

"Details of the server running the web interface"
Access options:
Indirect. To access the web interface, users can enter the url of the secure gateway (guys, what is this url path?)
installed on this computer
tcp port

Any help greatly appreciated.
Question by:Simon336697
    LVL 28

    Assisted Solution

    You shouldn't configure your WI to use port 443. It should use port 80 instead.
    The CSG will accept incoming connections on port 443 and decrypt/translate them to port 80 for the local web interface.

    "Details of the server running the web interface"
    Access options:
    Indirect. To access the web interface, users can enter the url of the secure gateway (guys, what is this url path?) <- its the one pointing to your external IP address. Create a DNS entry for your external address like (its also the name your certificate needs to be generated for!)

    installed on this computer (needs to be ticked!)
    Direct (don't tick direct!)
    FQDN: localhost
    tcp port: 80

    Hope it helps,

    LVL 1

    Author Comment

    Hi Mike!

    Mate I really appreciate your help.

    Could I please just clarify something with you.
    Here is my problem.

    When I act as an external client, I type in https://<public address>

    This takes me to my web interface. Ive set the web interface to be port 80, but also I set the ssl port for the default web site to be port 443 for the certificate. If I leave this at 443, then configure the csg with port 443, then i get an error saying its in use (that is by www service).

    What Im getting confused about is should https://public address map to a url (some kind of csg url path) then bring up the web interface.
    Ive got all this stuff on the one box. When I installed csg, it said that the machine needed a certificate, so I installed certificate services and then installed the certificate to the default web site, the one that citrix is a part of.

    Sorry for these probably easy questions Im asking.

    LVL 18

    Expert Comment


    when you type https:// the CSG will handle the connection and forward it to the web interface since they are installed on the same server.  So what you need to do is change the IIS port to something like 444 (just can't be 443) for your website.  Also make sure under the "Directory Security" tab in IIS, click the "Edit" button in the Secure Communications seciton.  Make sure that "Require Secure Channel (SSL)" is not checked.  Since they are on the same server you don't need SSL communication between your CSG & WI.
    LVL 1

    Author Comment

    Hi mgcIT and mpfister!
    Both you guys are obviously guns, and I really thank you for your help.

    This question is similar to another one I have open at the moment which im trying to fix. Both your guys' suggestions here have helped.
    I just now have one issue.

    I now see the csg is working since i did what mgcIT suggested and changed the iis port to 444 and deselected the require secure channel.

    Externally, i can now https://<public ip address> to the web interface.
    I then log in.
    I have an issue though whenever i launch a citrix app and with the certificate.

    On the csg server, i installed the certificate. I have also on this server, installed, the standalone ROOT CA (Certificate Services), the web interface, presentation server and IIS.

    I configured csg to point to sta server ITSELF with a FQDN - but one which I cannot access EXTERNALLY. Do i have to register this fqdn as a domain name to get to itself when connecting to the sta server?

    LVL 18

    Accepted Solution


    I think I have answered this question in the other thread "STA Server and Citrix" but I will answer here as well.

    The STA service is installed automatically when you install Citrix PS 4.0 on your server.  So this will not be the same server as your CSG / WI.  When it asks for the STA server just use the internal domain name of your server such as citrix1.mydomain.hq.  It does not have to be public.

    You will specify this in 2 places:

    1. When running the CSG configuration.  Type in the name and also change the port to your XML port if you are not using the default (80).

    2. In the Web Interface Admin console.  Under Manage secure Client Access > Edit Secure Gateway Settings.  Add your STA server(s) here.  
    LVL 1

    Author Comment

    Thank you guys!!!


    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Citrix XenDesktop 7.6 Citrix Policies Audio
    Several part series to implement Internet Explorer 11 Enterprise Mode
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now