Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1258
  • Last Modified:

SSL for Citrix Web Interface

Hi,

I want to be able to provide Citrix Apps from the real world. I currently have Citrix PS 4.5 running internally.

What is the best and most secure way to do this?

Do i just buy a certificate and select 443 in IIS and just NAT it through my firewall or use CSG??

Got no experience with CSG but is this recommended?

Thanks
0
monarchit
Asked:
monarchit
  • 5
  • 3
  • 2
  • +2
1 Solution
 
mrwalker15Commented:
I dont recommend CSG/AGEE from personal experience.

My suggestion is to use a SSL VPN appliance such a Juniper, F5 or Cisco.
0
 
monarchitAuthor Commented:
I have a Cisco firewall in place. Do i just NAT 443 to my Citrix Web Interface?
0
 
mrwalker15Commented:
You could use that but you will then need a certificate. I would put your presentation server in a DMZ as it will be accessible externally.
This is not the most secure way as there is no authentication of users prior to connecting to the server.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
monarchitAuthor Commented:
My web interface and Citrix presentaton server are in seperate servers and also our remote sites connect to the presentation server through our site to site VPN?
0
 
AaronITCommented:
I disagree with not using Secure Gateway.

There are 2 remote options, you can install Secure Gateway, purchase your Cert and push 443 from your firewall to your SG and things are secure.  

If you would prefer an appliance, you can get the Citrix Access Gateway, which works just like secure gateway but is an appliance. It has other features such as Endpoint analysis, and you can have seperate application policies for remote users.  For instance, if you wanted to just give them outlook, but internally they get 10 other applications you can do that.

I wouldn't use VPN either, makes life more difficult.

Get your Cert, install SG on your Web interface box, configure it, point 443 to that same box, and wham you are good to go in less then 20 minutes.
0
 
monarchitAuthor Commented:
Would you not recommend just Natting 443 staright to the web interface without SG?

Also where do i get SG from? Is that on the CD
0
 
monarchitAuthor Commented:
Also my web interface is currently a server in the DMZ
0
 
AaronITCommented:
Monarchit

If your WI is in the DMZ do all users hit it via the external FQDN?  If they don't then you are going to have put an altaddr record on the WI to make sure to change the ICA files to an external IP, not a problem to do just a little more complication that Secure Gateway does for you.  

I personally wouldn't recommend just natting 443 through unless you are using Secure Gatway.

Secure Gateway comes with PS 4.5 might as well use it, it makes your life easier on the config side, and SSL management side.  I believe it's on the Components CD, but it is on one of them, i just can't remember which off the top of my head. You can also download it from your My Citrix account.
0
 
monarchitAuthor Commented:
Yes all my users will hit it via FQDN so just wanted to stick a certificate on it?
0
 
Carl WebsterCommented:
The FREE Citrix Secure Gateway is a piece of cake to install, setup and use.

I use a GoDaddy wildcard SLL cert on my personal lab setups.

http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part1.html

http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part2.html

Citrix doesn't recommend installing CSG and WI on the same server but they support it and I have NEVER had an issue with it.

0
 
AaronITCommented:
Monarch,

Yep use IIS to create the Cert and get it from GoDaddy they are the cheapest. that's how we have it set up.

once you have the cert installed go through the SG installation and it's a breeze.
0
 
chuckyhCommented:
I 2nd the CSG/CAG recommendation. Simple and secure. Running WI and CSG on the same box is very easy to setup. The links provided by CarlWebster helped me a lot with my setup.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 5
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now