Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SSL for Citrix Web Interface

Posted on 2008-10-27
12
Medium Priority
?
1,254 Views
Last Modified: 2012-05-05
Hi,

I want to be able to provide Citrix Apps from the real world. I currently have Citrix PS 4.5 running internally.

What is the best and most secure way to do this?

Do i just buy a certificate and select 443 in IIS and just NAT it through my firewall or use CSG??

Got no experience with CSG but is this recommended?

Thanks
0
Comment
Question by:monarchit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 3

Expert Comment

by:mrwalker15
ID: 22812882
I dont recommend CSG/AGEE from personal experience.

My suggestion is to use a SSL VPN appliance such a Juniper, F5 or Cisco.
0
 

Author Comment

by:monarchit
ID: 22812930
I have a Cisco firewall in place. Do i just NAT 443 to my Citrix Web Interface?
0
 
LVL 3

Expert Comment

by:mrwalker15
ID: 22813005
You could use that but you will then need a certificate. I would put your presentation server in a DMZ as it will be accessible externally.
This is not the most secure way as there is no authentication of users prior to connecting to the server.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:monarchit
ID: 22813375
My web interface and Citrix presentaton server are in seperate servers and also our remote sites connect to the presentation server through our site to site VPN?
0
 
LVL 2

Expert Comment

by:AaronIT
ID: 22813469
I disagree with not using Secure Gateway.

There are 2 remote options, you can install Secure Gateway, purchase your Cert and push 443 from your firewall to your SG and things are secure.  

If you would prefer an appliance, you can get the Citrix Access Gateway, which works just like secure gateway but is an appliance. It has other features such as Endpoint analysis, and you can have seperate application policies for remote users.  For instance, if you wanted to just give them outlook, but internally they get 10 other applications you can do that.

I wouldn't use VPN either, makes life more difficult.

Get your Cert, install SG on your Web interface box, configure it, point 443 to that same box, and wham you are good to go in less then 20 minutes.
0
 

Author Comment

by:monarchit
ID: 22813561
Would you not recommend just Natting 443 staright to the web interface without SG?

Also where do i get SG from? Is that on the CD
0
 

Author Comment

by:monarchit
ID: 22813571
Also my web interface is currently a server in the DMZ
0
 
LVL 2

Expert Comment

by:AaronIT
ID: 22813619
Monarchit

If your WI is in the DMZ do all users hit it via the external FQDN?  If they don't then you are going to have put an altaddr record on the WI to make sure to change the ICA files to an external IP, not a problem to do just a little more complication that Secure Gateway does for you.  

I personally wouldn't recommend just natting 443 through unless you are using Secure Gatway.

Secure Gateway comes with PS 4.5 might as well use it, it makes your life easier on the config side, and SSL management side.  I believe it's on the Components CD, but it is on one of them, i just can't remember which off the top of my head. You can also download it from your My Citrix account.
0
 

Author Comment

by:monarchit
ID: 22813863
Yes all my users will hit it via FQDN so just wanted to stick a certificate on it?
0
 
LVL 37

Expert Comment

by:Carl Webster
ID: 22814469
The FREE Citrix Secure Gateway is a piece of cake to install, setup and use.

I use a GoDaddy wildcard SLL cert on my personal lab setups.

http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part1.html

http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part2.html

Citrix doesn't recommend installing CSG and WI on the same server but they support it and I have NEVER had an issue with it.

0
 
LVL 2

Accepted Solution

by:
AaronIT earned 2000 total points
ID: 22814641
Monarch,

Yep use IIS to create the Cert and get it from GoDaddy they are the cheapest. that's how we have it set up.

once you have the cert installed go through the SG installation and it's a breeze.
0
 
LVL 18

Expert Comment

by:chuckyh
ID: 22815506
I 2nd the CSG/CAG recommendation. Simple and secure. Running WI and CSG on the same box is very easy to setup. The links provided by CarlWebster helped me a lot with my setup.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Citrix XenDesktop, gold image, VMware, vSphere.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question