Citrix infrastructure DMZ

Can I ask in releation to the overall architecture of a citrix environment, what part of the citrix architecture would be a public facing server (i.e. in the DMZ), would that just be the CAG (access gateway)? Or could it be other devices too?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tony JohncockLead Technical ArchitectCommented:
CAG, NetScaler, Secure Gateway and Web Interface servers could each sit in the DMZ and be internet facing.

The appliances such as CAG & NetScaler are the better ones as these tend to be a hardened Linux OS with a specific function rather than a Windows IIS server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

The answer is of course, it depends on your configuration. If you already have a DMZ, you can configure your CAG there, and have your XenApp servers in your secure network.
That being said, you do not 'need' a DMZ to configure external access to your farm, or even a CAG for that matter.

Check out this link for a few example scenarios:

And if you're keen for some reading, this is a guide for XenApp fundamentals that includes a section on configuring ISA for remote access to the XenApp farm (page 39):

pma111Author Commented:
Thanks both. Can I ask for a real low tech jargon free management summary of what each:

Secure Gateway
Web Interface

Actually does and provides to the user?

Does every citrix setup include all 4 of these "pieces"? Or can some just include 1 or 2?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Tony JohncockLead Technical ArchitectCommented:
So the Citrix Access Gateway is a physical appliance that can host a website that users connect to (usually) from external clients. It handles things like SSL offload and encryption services. There is actually a virtual appliance version call the VPX.

The NetScalers can be thought of a Access Gateways on steroids and introduce many high end features like higher throughput and load balancing.

The Web Interface is used, generally internally, as a point of connection for the clients such as the Citrix Receiver or users can log onto it directly and then launch applications via a web browser - they still need a Citrix client/receiver*.

The Secure Gateway was a software based product in the ilk of the CAGs.

Generally, one or two are used - such as a CAG and a WI.

*The Citrix Receiver is basically the latest client, but there are versions for iDevices, Blackberry etc.
pma111Author Commented:
Thats excellent help. Thanks! So when I visit the website I am visiting the gateway, here I enter the login credentials, once authenticated I see many options such as a desktop monitor, when I double click the monitor this seems to launch the citrix session (which I assume is the WI kicking in at that point??). I did install a web client before this would work.
pma111Author Commented:
Are there seucirty patches applied to each tier of the citrix archtiecture, or are they typically focused one tier?

i.e. would there be security patches for each of:

Secure Gateway
Web Interface
pma111Author Commented:
And last one quick but what are the benefits of a CAG over a "secure gateway", i.e. why use one over another?
Tony JohncockLead Technical ArchitectCommented:
Yes, Citrix release patches and updates for most of their products over their life - some more often than others (XenApp far more often than CAG, for example).

The main reason people opt for Secure Gateway tends to be cost. That said, the main reason people choose CAG or NetScaler over CSG is security - anything running on Windows tends to have a perception of being less secure than an appliance based on a Linux core. Certainly you'd need to patch it more often.

Also because the appliances handle the SSL you get a higher throughput and less load on the software based systems. SSL can add 30% more load per user in a Windows environment.
Tony JohncockLead Technical ArchitectCommented:
Oh and:

"Thats excellent help. Thanks! So when I visit the website I am visiting the gateway, here I enter the login credentials, once authenticated I see many options such as a desktop monitor, when I double click the monitor this seems to launch the citrix session (which I assume is the WI kicking in at that point??). I did install a web client before this would work."

Yes - you authenticate to the CAG / Web Interface and then it presents you with the applications. When you click it, it launches via the receiver.
pma111Author Commented:
Are there any easy ways to audit versions of citrix products for missing patches, do Citrix give any tools to help admins check they are up to date? I.e. check xenapp is up to date, check CAG is up to date - no missing security patches. If you use CAG with 2-factor and SSL/TLS, what do the vulns typically allow for, if anything?
Tony JohncockLead Technical ArchitectCommented:
You can tell if a XenApp server is patched the same as its partners in a farm from the management consoles.

Citrix also offers a page where you can determine which MS security patches shouldn't break anything (quite useful):

I am not aware of any automated service though for the likes of CAG but the updates are generally both quite rare and tend to be a major revision upgrade.

I am not sure what your question re two factor authentication is asked? Sorry.

Generally though, adding in two factor auth doesn't introduce any vulnerabilities from a Citrix level, but if such as happened with RSA a while back and the actual authentication mechanism is potentially broken then of course this will introduce a potential attack profile. On that you just have to keep an eye on, and trust, the vendor to provide feedback in a timely manner.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.