Secure Gateway, Certificate Services CA Root, and Web Interface on the same box

Okay....this is what I have done.

I have one Citrix server in our DMZ with the following.

Certificate Services installed - acting as a Standalone Root CA
This server only has one nic in it.
The web interface is also installed on this machine, along with Secure Gateway.
It has one public IP address natted to its internal, with port 443 (ssl) opened up on the firewall.
I have installed a certificate for the default web site to use, and using port 443.

I know this is not an ideal setup, as EVERYTHING is basically on the same box.........Secure Gateway and the WI.

In this configuration:

How can I get external clients to connect through https to the secure gateway and then route that through to the web interface?
In this configuration, do I have to open up more than port 443, or have multiple IP addresses assigned to this machine, and have the web interface on one ip on port 443, and the secure gateway on another ip on port 443?

Basically Im trying to do the following:

external clients connect by connecting to the web interface https://<fqdn>
then somehow secure gateway does its thing.

Both the WI and CSG are on the same box, and Im not sure how to get BOTH working as both are trying to use port 443.

At the moment, I can connect through to the web interface externally on https:<fqdn> (port443), but as soon as I try and configure the CSG (which also tries to use the same port), it keels over.

The options in the CSG tool are as follows:

"Details of the server running the web interface"
Access options:
Indirect. To access the web interface, users can enter the url of the secure gateway (guys, what is this url path?)
installed on this computer
tcp port

Any help greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael PfisterCommented:
You shouldn't configure your WI to use port 443. It should use port 80 instead.
The CSG will accept incoming connections on port 443 and decrypt/translate them to port 80 for the local web interface.

"Details of the server running the web interface"
Access options:
Indirect. To access the web interface, users can enter the url of the secure gateway (guys, what is this url path?) <- its the one pointing to your external IP address. Create a DNS entry for your external address like (its also the name your certificate needs to be generated for!)

installed on this computer (needs to be ticked!)
Direct (don't tick direct!)
FQDN: localhost
tcp port: 80

Hope it helps,

Simon336697Author Commented:
Hi Mike!

Mate I really appreciate your help.

Could I please just clarify something with you.
Here is my problem.

When I act as an external client, I type in https://<public address>

This takes me to my web interface. Ive set the web interface to be port 80, but also I set the ssl port for the default web site to be port 443 for the certificate. If I leave this at 443, then configure the csg with port 443, then i get an error saying its in use (that is by www service).

What Im getting confused about is should https://public address map to a url (some kind of csg url path) then bring up the web interface.
Ive got all this stuff on the one box. When I installed csg, it said that the machine needed a certificate, so I installed certificate services and then installed the certificate to the default web site, the one that citrix is a part of.

Sorry for these probably easy questions Im asking.


when you type https:// the CSG will handle the connection and forward it to the web interface since they are installed on the same server.  So what you need to do is change the IIS port to something like 444 (just can't be 443) for your website.  Also make sure under the "Directory Security" tab in IIS, click the "Edit" button in the Secure Communications seciton.  Make sure that "Require Secure Channel (SSL)" is not checked.  Since they are on the same server you don't need SSL communication between your CSG & WI.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Simon336697Author Commented:
Hi mgcIT and mpfister!
Both you guys are obviously guns, and I really thank you for your help.

This question is similar to another one I have open at the moment which im trying to fix. Both your guys' suggestions here have helped.
I just now have one issue.

I now see the csg is working since i did what mgcIT suggested and changed the iis port to 444 and deselected the require secure channel.

Externally, i can now https://<public ip address> to the web interface.
I then log in.
I have an issue though whenever i launch a citrix app and with the certificate.

On the csg server, i installed the certificate. I have also on this server, installed, the standalone ROOT CA (Certificate Services), the web interface, presentation server and IIS.

I configured csg to point to sta server ITSELF with a FQDN - but one which I cannot access EXTERNALLY. Do i have to register this fqdn as a domain name to get to itself when connecting to the sta server?


I think I have answered this question in the other thread "STA Server and Citrix" but I will answer here as well.

The STA service is installed automatically when you install Citrix PS 4.0 on your server.  So this will not be the same server as your CSG / WI.  When it asks for the STA server just use the internal domain name of your server such as citrix1.mydomain.hq.  It does not have to be public.

You will specify this in 2 places:

1. When running the CSG configuration.  Type in the name and also change the port to your XML port if you are not using the default (80).

2. In the Web Interface Admin console.  Under Manage secure Client Access > Edit Secure Gateway Settings.  Add your STA server(s) here.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simon336697Author Commented:
Thank you guys!!!

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.