Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.
Solved
citrix web interface and access gateway
Posted on 2013-01-04
Citrix experts,
Can someone tell me some of the benefits with "front ending" the web interface with an access gateway for users connecting from outside?
I that's how it should be done in order to provide remote users access to the WI when they are out of the office. But technically, could it work without an access gateway?
Some benefits I see is that the Access gateway can do the authentication and provide SSO into the WI...anything else?
Can someone tell me some of the benefits with "front ending" the web interface with an access gateway for users connecting from outside?
I that's how it should be done in order to provide remote users access to the WI when they are out of the office. But technically, could it work without an access gateway?
Some benefits I see is that the Access gateway can do the authentication and provide SSO into the WI...anything else?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3
2-
2
- +3
10 Comments
Active today
yes web interface will if you are using vpn to connect to your network. here is the few benifits of access gateway http://www.cns-service.com/citrix/citrix-access-gateway.aspx
Unless you provide the web interface with a public IP address, your external users will not be able to directly connect to it. What sekarc4u mentioned is a VPN connection from a third party (other than Citrix), such as Juniper or Cisco, before connecting to the Web Interface.
One big advantage of the Access Gateway is to provide you with SSL secure VPN connection to your network. This is why you shouldn't put a public IP on a Web Interface; because this will pose a huge security risk on your network.
One big advantage of the Access Gateway is to provide you with SSL secure VPN connection to your network. This is why you shouldn't put a public IP on a Web Interface; because this will pose a huge security risk on your network.
There are many ways to handle authentication with or without Citrix. Depends on the environment and purpose of the web interface. For example, we provide our users multiple systems: Those applications that are only loosely coupled to our networks, and those that are fully integrated. For an e-commerce platform, Citrix wouldn't make much sense as it's likely to get in the way of access. A bug tracking system deployed outside our LAN, we would likely authenticate via encryption/salting/hashing
You can always use traditional method of configuring AGW with WI. You can place AGW in between Firewall, so AGW can either authenticate the users and send it to WI which is in internal network or instead of authenticating, AGW can directly forward the request to WI in the internal network.
Again if you still want to have WI instead of AGW, you can place it in Firewall do a NAT, and requests are sent to internal web interface. Ext Ips gets translated in the Firewall, so you don't have to expose internal server IPs. If you cannot use AGW, try secure gateway, secure the connectin with SSL.
Again if you still want to have WI instead of AGW, you can place it in Firewall do a NAT, and requests are sent to internal web interface. Ext Ips gets translated in the Firewall, so you don't have to expose internal server IPs. If you cannot use AGW, try secure gateway, secure the connectin with SSL.
Active today
Access Gateway goes end of life this year. I would not bother installing it.
You will want to look at a Netscaler for these purposes, that AG functionality and interface has been moved to that platform.
WI goes end of life either next year, or 2015 in favor of StoreFront, which will require a netscaler to provide the same level of functionality.
However, in the current iterations, you can definitely use a Web Interface with a Secure Gateway (free). You can provide a secure (SSL) connection for the WI & CSG connection easily enough.. they can reside on teh same or separate servers, and you can have one or both out in the DMZ, or have them purely internal.
A lot depends on your budget, and goals.
Coralon
You will want to look at a Netscaler for these purposes, that AG functionality and interface has been moved to that platform.
WI goes end of life either next year, or 2015 in favor of StoreFront, which will require a netscaler to provide the same level of functionality.
However, in the current iterations, you can definitely use a Web Interface with a Secure Gateway (free). You can provide a secure (SSL) connection for the WI & CSG connection easily enough.. they can reside on teh same or separate servers, and you can have one or both out in the DMZ, or have them purely internal.
A lot depends on your budget, and goals.
Coralon
Everyone, I appreciate your responses. Maybe I didnt ask my question correctly because it seemed like it was completely missed except for Mutawadi's response.
Yes I do have Netscaler front ended the WI for remote users. I was just asking for more "benefits" of having it setup that way. Suppose you have it setup this way too and someone asked you can it be accomplished without Netscaler and just have WI by itself. Of course we wouldnt think of doing it that way so this is just a hypothetical.
If I install an SSL cert on the WI server, and have users connect in from outside, then that would make the SSL connection to the WI. I can also have the users authenticate at the WI. So no need for the Netscaler for those purposes. Let's hear what other benefits does front ended it with CSG or Netscaler give me?
Yes I do have Netscaler front ended the WI for remote users. I was just asking for more "benefits" of having it setup that way. Suppose you have it setup this way too and someone asked you can it be accomplished without Netscaler and just have WI by itself. Of course we wouldnt think of doing it that way so this is just a hypothetical.
If I install an SSL cert on the WI server, and have users connect in from outside, then that would make the SSL connection to the WI. I can also have the users authenticate at the WI. So no need for the Netscaler for those purposes. Let's hear what other benefits does front ended it with CSG or Netscaler give me?
Specifically NetScaler would have the following non-exhaustive advantages:
- Integration of the SSL VPN functionality of Access Gateway, Enterprise edition with Citrix SmartAccess; available when you puchase the AG universal client licenses.
- Intelligent hardware layer 4 (protocol and port number) load balancing, ensuring optimal distribution of traffic among application servers
- Global load balancing to manage multi-sites.
- Implements multiple TCP optimization to improve the network traffic leading to accelerated application performance
- Hardware based SSL acceleration reducing CPU utilization on servers. This greatly reduces the processing intensity of SSL connection and bulk encryption of web servers.
- Integration of the SSL VPN functionality of Access Gateway, Enterprise edition with Citrix SmartAccess; available when you puchase the AG universal client licenses.
- Intelligent hardware layer 4 (protocol and port number) load balancing, ensuring optimal distribution of traffic among application servers
- Global load balancing to manage multi-sites.
- Implements multiple TCP optimization to improve the network traffic leading to accelerated application performance
- Hardware based SSL acceleration reducing CPU utilization on servers. This greatly reduces the processing intensity of SSL connection and bulk encryption of web servers.
Active today
Not being funny.. but the question is a complete waste of time. If you *already* have a netscaler, then there is absolutely no reason to have a CSG.
Coralon
Coralon
Coralon,
When I say "access gateway" I'm referring to Netscaler. You can have a Netscaler and not have Access Gateway.
When I say "access gateway" I'm referring to Netscaler. You can have a Netscaler and not have Access Gateway.
Active today
I know plenty about the Netscalers, not even vaguely a question. You mentioned a CSG (Citrix Secure Gateway)
That's why I said it would be a waste of time if you had a Netscaler. If you had the Netscaler, you would add the AG functionality rather than bother with a CSG.
However when it comes to a CAG vs. Netscaler w/AG, the CAG is coming to EOL soon, and Netscaler w/AG will be your only option soon.
Coralon
Let's hear what other benefits does front ended it with CSG or Netscaler give me?
That's why I said it would be a waste of time if you had a Netscaler. If you had the Netscaler, you would add the AG functionality rather than bother with a CSG.
However when it comes to a CAG vs. Netscaler w/AG, the CAG is coming to EOL soon, and Netscaler w/AG will be your only option soon.
Coralon
Featured Post
This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Citrix policies are the most efficient method to configure and tune XenDesktop environments, allowing organizations to control connection, security and bandwidth settings based on various combinations of users, devices or connection types.
 Citrix …
Citrix XenDesktop 7.6 Citrix Policies Disable Peripherals
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video.
We have explained the difference between…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month14 days, 11 hours left to enroll
649 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.