CAG - Web interface - best option.

Hi all,

I have a Citrix Access Gateway in production. I have been asked to configure a Citrix web interface so that external user can logon securely and use published apps.

I  have created a citrix web interface site on a server in the dmz. My plan was to create a certificate on the site and then give a external address so that users could access the site externally.

But, as i already CAG should i not be using this to authenticate the users? if there anyway the cag can be tied in the the portal page?

help would be appreciated

Should i be using the CAG for authenticating the users and then pointing the to the website?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Daniel BorgerSenior Citrix Engineer- CCEECommented:
The web server does not need to be in the DMZ. you Access Gateway has 2 NICs that you can use to span the External and internal networks. this will allow the CAG to point to an internal Web interface to do authentication.  Here are some good learning points.
matt_B_2008Author Commented:

I have now slightly changed the setup here in order to get this working, as follows

Configured a web interface on the LAN.
CAG on the DMZ.
WI v4.5
CAG standard ed. 4.5.5

I am now trying to forward credentials used at the CAG portal page to logn the users directly onto the WI. I have followed all the steps on the KB:

To test this im am connecting to the CAG FQDN and selecting connect. This then runs the clients and prompts for the user credentials. Once i put credentials in i want it to rediect to the WI but its not, any ideas what i may have missed out?
Daniel BorgerSenior Citrix Engineer- CCEECommented:
You can set the CAG to not authenicate users since the web interface will be doing that.
There are changes needed on the web interface to let it know where the traffic is coming from.
Edit the DMZ settings of your web interface page. Set the default to Gateway Direct. If internal users are going to use the same site you can add your IP range as well. This will let internal to connect without using the CAG.
matt_B_2008Author Commented:
Hi thanks for getting back

 Im not sure whether this is whats required:

I just need the users to redirected to the WI after they have logged into the CAG portal page. At the moment the portal page is just allowing users to connect to the gatway, i need them to be redirected to the WI without having to browse to the WI address manually??

That make sense?
matt_B_2008Author Commented:
Heres the settings on the WI

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.