CAG - Web interface - best option.

Posted on 2009-05-27
Medium Priority
Last Modified: 2012-06-21
Hi all,

I have a Citrix Access Gateway in production. I have been asked to configure a Citrix web interface so that external user can logon securely and use published apps.

I  have created a citrix web interface site on a server in the dmz. My plan was to create a certificate on the site and then give a external address so that users could access the site externally.

But, as i already CAG should i not be using this to authenticate the users? if there anyway the cag can be tied in the the portal page?

help would be appreciated

Should i be using the CAG for authenticating the users and then pointing the to the website?
Question by:matt_B_2008
  • 3
  • 2
LVL 12

Expert Comment

by:Daniel Borger
ID: 24517406
The web server does not need to be in the DMZ. you Access Gateway has 2 NICs that you can use to span the External and internal networks. this will allow the CAG to point to an internal Web interface to do authentication.  Here are some good learning points.

Author Comment

ID: 24536301

I have now slightly changed the setup here in order to get this working, as follows

Configured a web interface on the LAN.
CAG on the DMZ.
WI v4.5
CAG standard ed. 4.5.5

I am now trying to forward credentials used at the CAG portal page to logn the users directly onto the WI. I have followed all the steps on the KB: http://support.citrix.com/article/ctx106202

To test this im am connecting to the CAG FQDN and selecting connect. This then runs the clients and prompts for the user credentials. Once i put credentials in i want it to rediect to the WI but its not, any ideas what i may have missed out?
LVL 12

Assisted Solution

by:Daniel Borger
Daniel Borger earned 1000 total points
ID: 24537241
You can set the CAG to not authenicate users since the web interface will be doing that.
There are changes needed on the web interface to let it know where the traffic is coming from.
Edit the DMZ settings of your web interface page. Set the default to Gateway Direct. If internal users are going to use the same site you can add your IP range as well. This will let internal to connect without using the CAG.

Author Comment

ID: 24537429
Hi thanks for getting back

 Im not sure whether this is whats required:

I just need the users to redirected to the WI after they have logged into the CAG portal page. At the moment the portal page is just allowing users to connect to the gatway, i need them to be redirected to the WI without having to browse to the WI address manually??

That make sense?

Accepted Solution

matt_B_2008 earned 0 total points
ID: 24537483
Heres the settings on the WI

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Several part series to implement Internet Explorer 11 Enterprise Mode
Citrix XenDesktop 7.6 Citrix Policies Graphics
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question