Link to home
Start Free TrialLog in
Avatar of Simon336697
Simon336697Flag for Australia

asked on

Secure Gateway, Certificate Services CA Root, and Web Interface on the same box

Okay....this is what I have done.

I have one Citrix server in our DMZ with the following.

Certificate Services installed - acting as a Standalone Root CA
This server only has one nic in it.
The web interface is also installed on this machine, along with Secure Gateway.
It has one public IP address natted to its internal, with port 443 (ssl) opened up on the firewall.
I have installed a certificate for the default web site to use, and using port 443.

I know this is not an ideal setup, as EVERYTHING is basically on the same box.........Secure Gateway and the WI.

In this configuration:

How can I get external clients to connect through https to the secure gateway and then route that through to the web interface?
In this configuration, do I have to open up more than port 443, or have multiple IP addresses assigned to this machine, and have the web interface on one ip on port 443, and the secure gateway on another ip on port 443?

Basically Im trying to do the following:

external clients connect by connecting to the web interface https://<fqdn>
then somehow secure gateway does its thing.

Both the WI and CSG are on the same box, and Im not sure how to get BOTH working as both are trying to use port 443.

At the moment, I can connect through to the web interface externally on https:<fqdn> (port443), but as soon as I try and configure the CSG (which also tries to use the same port), it keels over.

The options in the CSG tool are as follows:

"Details of the server running the web interface"
Access options:
Indirect. To access the web interface, users can enter the url of the secure gateway (guys, what is this url path?)
installed on this computer
Direct
Details
FQDN
tcp port



Any help greatly appreciated.
SOLUTION
Avatar of Michael Pfister
Michael Pfister
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Simon336697

ASKER

Hi Mike!

Mate I really appreciate your help.

Could I please just clarify something with you.
Here is my problem.

When I act as an external client, I type in https://<public address>

This takes me to my web interface. Ive set the web interface to be port 80, but also I set the ssl port for the default web site to be port 443 for the certificate. If I leave this at 443, then configure the csg with port 443, then i get an error saying its in use (that is by www service).

What Im getting confused about is should https://public address map to a url (some kind of csg url path) then bring up the web interface.
Ive got all this stuff on the one box. When I installed csg, it said that the machine needed a certificate, so I installed certificate services and then installed the certificate to the default web site, the one that citrix is a part of.

Sorry for these probably easy questions Im asking.

Simon
Simon,

when you type https:// the CSG will handle the connection and forward it to the web interface since they are installed on the same server.  So what you need to do is change the IIS port to something like 444 (just can't be 443) for your website.  Also make sure under the "Directory Security" tab in IIS, click the "Edit" button in the Secure Communications seciton.  Make sure that "Require Secure Channel (SSL)" is not checked.  Since they are on the same server you don't need SSL communication between your CSG & WI.
Hi mgcIT and mpfister!
Both you guys are obviously guns, and I really thank you for your help.

This question is similar to another one I have open at the moment which im trying to fix. Both your guys' suggestions here have helped.
I just now have one issue.

I now see the csg is working since i did what mgcIT suggested and changed the iis port to 444 and deselected the require secure channel.

Externally, i can now https://<public ip address> to the web interface.
I then log in.
I have an issue though whenever i launch a citrix app and with the certificate.

On the csg server, i installed the certificate. I have also on this server, installed, the standalone ROOT CA (Certificate Services), the web interface, presentation server and IIS.

I configured csg to point to sta server ITSELF with a FQDN - but one which I cannot access EXTERNALLY. Do i have to register this fqdn as a domain name to get to itself when connecting to the sta server?




ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you guys!!!

Simon