Avatar of Long Le
Long Le
 asked on

Trouble with Citrix Secure Gateway on DMZ

Hi All,  I am trying to fix our Citrix Gateway. We have two Citrix Server(XenApp 6.5) on the 88.8.0.0/16(LAN1) subnet and works great.
We also have a Citrix Secure Gateway on the DMZ on a 99.9.0.0/16 subnet.

If I move the CSG from DMZ to LAN1everything works as intended.
By going to https://CSG/ I get the web login portal and able to log in and launch applications.

When the CSG is on the DMZ it does not work. I get to the login portal but that is about it. It does not authenticate any user.
I tried setting up access rules on the Sonicwall to allow traffic from CSG to Citrix Server over Port 8080 and 443.
Then as a Test I allowed all traffic on all ports to hit the citrix servers. I check the packet monitor on sonicwall and it shows it passing traffic to the Citrix Servers but still not able to login.
Citrix* XenAppSonicWall

Avatar of undefined
Last Comment
Sam Jacobs

8/22/2022 - Mon
Carl Webster

Both products are no longer supported but the old doc is still available.

https://docs.citrix.com/en-us/legacy-archive/downloads/xenapp-6-5.pdf

Go to page 636 where it starts on using the CSG in a DMZ. In both examples, it shows that the Web Interface is also in a DMZ.
Sam Jacobs

Did you run the Secure Gateway Diagnostics Utility? What does it say?
Long Le

ASKER
HI Sam, Test Failed at Web interface and failed at Authority Servers
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Carl Webster

Is the Web Interface in the DMZ?
Sam Jacobs

Is Web Interface installed on the CSG server?
Can you post screenshots of the output of the diagnostic report (you can blur sensitive info)?
Long Le

ASKER
Hi Carl,

CSG  Server: Has WI and CSG Installed
CITRX 1: Has XenApp and WI Installed
CITRX 2: Has XenApp and WI Installed

Hi Sam,

Headed to the other office for a meet. I'll send a screen shot as soon as I get there.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Carl Webster

Why is WI installed on the XenApp servers?
Sam Jacobs

The Citrix servers should not have WI installed on them.
Where is CSG pointing to for WI?
Long Le

ASKER
Not exactly sure why WI is on the XenApp and CSG. Just trying to clean it up and make it a bit more secure. Currently they are Port Forwarding directly to the XenApp\Webserver Server. Found the CSG but wasn't fully configured so trying to get that up and running.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Carl Webster

There is no need for WI on the XenApp servers and could present a security risk.
Long Le

ASKER
I think the best bet it to just rebuild the whole Citrix Enviroment on Hyper V. Sound like I should spin up another server for WI and put it in the DMZ with the CSG?

DMZ:
CSG
WI

Lan:
XenApp1
XenApp2
Sam Jacobs

You can put both CSG and WI on the same server. If you have a second CSG/WI server, you could load-balance the two of them for failover..
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Carl Webster

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
Sam Jacobs

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Carl Webster

I agree since XenApp 6.5 and WI and CSG are all out of support.
Long Le

ASKER
Hi all,

Thanks to your help guys I was able to get the server working as intended. I am putting into budget to get us up to the latest Version of Citrix. I saw the Citrix Workspace demo video and was drooling. lol.
Long Le

ASKER
With your recommendations I set it up like this:

DMZ:
Server 1: CSG and WI

LAN:
Server 2: XenApp
Server 3: XenApp

I had to update some access rules on firewall to allow for communications from DMZ to LAN.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Sam Jacobs

I would recommend setting up another CSG/WI server in the DMZ to eliminate the single point of failure.
You could use either a hardware device or NLB to load-balance the two.