monarchit
asked on
SSL for Citrix Web Interface
Hi,
I want to be able to provide Citrix Apps from the real world. I currently have Citrix PS 4.5 running internally.
What is the best and most secure way to do this?
Do i just buy a certificate and select 443 in IIS and just NAT it through my firewall or use CSG??
Got no experience with CSG but is this recommended?
Thanks
I want to be able to provide Citrix Apps from the real world. I currently have Citrix PS 4.5 running internally.
What is the best and most secure way to do this?
Do i just buy a certificate and select 443 in IIS and just NAT it through my firewall or use CSG??
Got no experience with CSG but is this recommended?
Thanks
ASKER
I have a Cisco firewall in place. Do i just NAT 443 to my Citrix Web Interface?
You could use that but you will then need a certificate. I would put your presentation server in a DMZ as it will be accessible externally.
This is not the most secure way as there is no authentication of users prior to connecting to the server.
This is not the most secure way as there is no authentication of users prior to connecting to the server.
ASKER
My web interface and Citrix presentaton server are in seperate servers and also our remote sites connect to the presentation server through our site to site VPN?
I disagree with not using Secure Gateway.
There are 2 remote options, you can install Secure Gateway, purchase your Cert and push 443 from your firewall to your SG and things are secure.
If you would prefer an appliance, you can get the Citrix Access Gateway, which works just like secure gateway but is an appliance. It has other features such as Endpoint analysis, and you can have seperate application policies for remote users. For instance, if you wanted to just give them outlook, but internally they get 10 other applications you can do that.
I wouldn't use VPN either, makes life more difficult.
Get your Cert, install SG on your Web interface box, configure it, point 443 to that same box, and wham you are good to go in less then 20 minutes.
There are 2 remote options, you can install Secure Gateway, purchase your Cert and push 443 from your firewall to your SG and things are secure.
If you would prefer an appliance, you can get the Citrix Access Gateway, which works just like secure gateway but is an appliance. It has other features such as Endpoint analysis, and you can have seperate application policies for remote users. For instance, if you wanted to just give them outlook, but internally they get 10 other applications you can do that.
I wouldn't use VPN either, makes life more difficult.
Get your Cert, install SG on your Web interface box, configure it, point 443 to that same box, and wham you are good to go in less then 20 minutes.
ASKER
Would you not recommend just Natting 443 staright to the web interface without SG?
Also where do i get SG from? Is that on the CD
Also where do i get SG from? Is that on the CD
ASKER
Also my web interface is currently a server in the DMZ
Monarchit
If your WI is in the DMZ do all users hit it via the external FQDN? If they don't then you are going to have put an altaddr record on the WI to make sure to change the ICA files to an external IP, not a problem to do just a little more complication that Secure Gateway does for you.
I personally wouldn't recommend just natting 443 through unless you are using Secure Gatway.
Secure Gateway comes with PS 4.5 might as well use it, it makes your life easier on the config side, and SSL management side. I believe it's on the Components CD, but it is on one of them, i just can't remember which off the top of my head. You can also download it from your My Citrix account.
If your WI is in the DMZ do all users hit it via the external FQDN? If they don't then you are going to have put an altaddr record on the WI to make sure to change the ICA files to an external IP, not a problem to do just a little more complication that Secure Gateway does for you.
I personally wouldn't recommend just natting 443 through unless you are using Secure Gatway.
Secure Gateway comes with PS 4.5 might as well use it, it makes your life easier on the config side, and SSL management side. I believe it's on the Components CD, but it is on one of them, i just can't remember which off the top of my head. You can also download it from your My Citrix account.
ASKER
Yes all my users will hit it via FQDN so just wanted to stick a certificate on it?
The FREE Citrix Secure Gateway is a piece of cake to install, setup and use.
I use a GoDaddy wildcard SLL cert on my personal lab setups.
http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part1.html
http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part2.html
Citrix doesn't recommend installing CSG and WI on the same server but they support it and I have NEVER had an issue with it.
I use a GoDaddy wildcard SLL cert on my personal lab setups.
http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part1.html
http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part2.html
Citrix doesn't recommend installing CSG and WI on the same server but they support it and I have NEVER had an issue with it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I 2nd the CSG/CAG recommendation. Simple and secure. Running WI and CSG on the same box is very easy to setup. The links provided by CarlWebster helped me a lot with my setup.
My suggestion is to use a SSL VPN appliance such a Juniper, F5 or Cisco.