Solved

SSL for Citrix Web Interface

Posted on 2008-10-27
12
1,245 Views
Last Modified: 2012-05-05
Hi,

I want to be able to provide Citrix Apps from the real world. I currently have Citrix PS 4.5 running internally.

What is the best and most secure way to do this?

Do i just buy a certificate and select 443 in IIS and just NAT it through my firewall or use CSG??

Got no experience with CSG but is this recommended?

Thanks
0
Comment
Question by:monarchit
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 3

Expert Comment

by:mrwalker15
Comment Utility
I dont recommend CSG/AGEE from personal experience.

My suggestion is to use a SSL VPN appliance such a Juniper, F5 or Cisco.
0
 

Author Comment

by:monarchit
Comment Utility
I have a Cisco firewall in place. Do i just NAT 443 to my Citrix Web Interface?
0
 
LVL 3

Expert Comment

by:mrwalker15
Comment Utility
You could use that but you will then need a certificate. I would put your presentation server in a DMZ as it will be accessible externally.
This is not the most secure way as there is no authentication of users prior to connecting to the server.
0
 

Author Comment

by:monarchit
Comment Utility
My web interface and Citrix presentaton server are in seperate servers and also our remote sites connect to the presentation server through our site to site VPN?
0
 
LVL 2

Expert Comment

by:AaronIT
Comment Utility
I disagree with not using Secure Gateway.

There are 2 remote options, you can install Secure Gateway, purchase your Cert and push 443 from your firewall to your SG and things are secure.  

If you would prefer an appliance, you can get the Citrix Access Gateway, which works just like secure gateway but is an appliance. It has other features such as Endpoint analysis, and you can have seperate application policies for remote users.  For instance, if you wanted to just give them outlook, but internally they get 10 other applications you can do that.

I wouldn't use VPN either, makes life more difficult.

Get your Cert, install SG on your Web interface box, configure it, point 443 to that same box, and wham you are good to go in less then 20 minutes.
0
 

Author Comment

by:monarchit
Comment Utility
Would you not recommend just Natting 443 staright to the web interface without SG?

Also where do i get SG from? Is that on the CD
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:monarchit
Comment Utility
Also my web interface is currently a server in the DMZ
0
 
LVL 2

Expert Comment

by:AaronIT
Comment Utility
Monarchit

If your WI is in the DMZ do all users hit it via the external FQDN?  If they don't then you are going to have put an altaddr record on the WI to make sure to change the ICA files to an external IP, not a problem to do just a little more complication that Secure Gateway does for you.  

I personally wouldn't recommend just natting 443 through unless you are using Secure Gatway.

Secure Gateway comes with PS 4.5 might as well use it, it makes your life easier on the config side, and SSL management side.  I believe it's on the Components CD, but it is on one of them, i just can't remember which off the top of my head. You can also download it from your My Citrix account.
0
 

Author Comment

by:monarchit
Comment Utility
Yes all my users will hit it via FQDN so just wanted to stick a certificate on it?
0
 
LVL 36

Expert Comment

by:Carl Webster
Comment Utility
The FREE Citrix Secure Gateway is a piece of cake to install, setup and use.

I use a GoDaddy wildcard SLL cert on my personal lab setups.

http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part1.html

http://www.msterminalservices.org/articles/Install-Configure-Citrix-Web-Interface-Secure-Gateway-Part2.html

Citrix doesn't recommend installing CSG and WI on the same server but they support it and I have NEVER had an issue with it.

0
 
LVL 2

Accepted Solution

by:
AaronIT earned 500 total points
Comment Utility
Monarch,

Yep use IIS to create the Cert and get it from GoDaddy they are the cheapest. that's how we have it set up.

once you have the cert installed go through the SG installation and it's a breeze.
0
 
LVL 18

Expert Comment

by:chuckyh
Comment Utility
I 2nd the CSG/CAG recommendation. Simple and secure. Running WI and CSG on the same box is very easy to setup. The links provided by CarlWebster helped me a lot with my setup.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Citrix XenDesktop, gold image, VMware, vSphere.
#Citrix #Citrix Policies #XenDesktop #VDI #POC #Citrix Univeral Printer Driver #Citrix UPD
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now