SSL for Citrix Web Interface

Hi,

I want to be able to provide Citrix Apps from the real world. I currently have Citrix PS 4.5 running internally.

What is the best and most secure way to do this?

Do i just buy a certificate and select 443 in IIS and just NAT it through my firewall or use CSG??

Got no experience with CSG but is this recommended?

Thanks
monarchitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mrwalker15Commented:
I dont recommend CSG/AGEE from personal experience.

My suggestion is to use a SSL VPN appliance such a Juniper, F5 or Cisco.
0
monarchitAuthor Commented:
I have a Cisco firewall in place. Do i just NAT 443 to my Citrix Web Interface?
0
mrwalker15Commented:
You could use that but you will then need a certificate. I would put your presentation server in a DMZ as it will be accessible externally.
This is not the most secure way as there is no authentication of users prior to connecting to the server.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

monarchitAuthor Commented:
My web interface and Citrix presentaton server are in seperate servers and also our remote sites connect to the presentation server through our site to site VPN?
0
AaronITCommented:
I disagree with not using Secure Gateway.

There are 2 remote options, you can install Secure Gateway, purchase your Cert and push 443 from your firewall to your SG and things are secure.  

If you would prefer an appliance, you can get the Citrix Access Gateway, which works just like secure gateway but is an appliance. It has other features such as Endpoint analysis, and you can have seperate application policies for remote users.  For instance, if you wanted to just give them outlook, but internally they get 10 other applications you can do that.

I wouldn't use VPN either, makes life more difficult.

Get your Cert, install SG on your Web interface box, configure it, point 443 to that same box, and wham you are good to go in less then 20 minutes.
0
monarchitAuthor Commented:
Would you not recommend just Natting 443 staright to the web interface without SG?

Also where do i get SG from? Is that on the CD
0
monarchitAuthor Commented:
Also my web interface is currently a server in the DMZ
0
AaronITCommented:
Monarchit

If your WI is in the DMZ do all users hit it via the external FQDN?  If they don't then you are going to have put an altaddr record on the WI to make sure to change the ICA files to an external IP, not a problem to do just a little more complication that Secure Gateway does for you.  

I personally wouldn't recommend just natting 443 through unless you are using Secure Gatway.

Secure Gateway comes with PS 4.5 might as well use it, it makes your life easier on the config side, and SSL management side.  I believe it's on the Components CD, but it is on one of them, i just can't remember which off the top of my head. You can also download it from your My Citrix account.
0
monarchitAuthor Commented:
Yes all my users will hit it via FQDN so just wanted to stick a certificate on it?
0
Carl WebsterCommented:
The FREE Citrix Secure Gateway is a piece of cake to install, setup and use.

I use a GoDaddy wildcard SLL cert on my personal lab setups.

http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part1.html

http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part2.html

Citrix doesn't recommend installing CSG and WI on the same server but they support it and I have NEVER had an issue with it.

0
AaronITCommented:
Monarch,

Yep use IIS to create the Cert and get it from GoDaddy they are the cheapest. that's how we have it set up.

once you have the cert installed go through the SG installation and it's a breeze.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chuckyhCommented:
I 2nd the CSG/CAG recommendation. Simple and secure. Running WI and CSG on the same box is very easy to setup. The links provided by CarlWebster helped me a lot with my setup.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.