Trouble with Citrix Secure Gateway on DMZ

Hi All,  I am trying to fix our Citrix Gateway. We have two Citrix Server(XenApp 6.5) on the 88.8.0.0/16(LAN1) subnet and works great.
We also have a Citrix Secure Gateway on the DMZ on a 99.9.0.0/16 subnet.

If I move the CSG from DMZ to LAN1everything works as intended.
By going to https://CSG/ I get the web login portal and able to log in and launch applications.

When the CSG is on the DMZ it does not work. I get to the login portal but that is about it. It does not authenticate any user.
I tried setting up access rules on the Sonicwall to allow traffic from CSG to Citrix Server over Port 8080 and 443.
Then as a Test I allowed all traffic on all ports to hit the citrix servers. I check the packet monitor on sonicwall and it shows it passing traffic to the Citrix Servers but still not able to login.
Long LeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Carl WebsterCitrix Technology Professional - FellowCommented:
Both products are no longer supported but the old doc is still available.

https://docs.citrix.com/en-us/legacy-archive/downloads/xenapp-6-5.pdf

Go to page 636 where it starts on using the CSG in a DMZ. In both examples, it shows that the Web Interface is also in a DMZ.
Sam JacobsDirector of Technology Development, IPMCommented:
Did you run the Secure Gateway Diagnostics Utility? What does it say?
Long LeAuthor Commented:
HI Sam, Test Failed at Web interface and failed at Authority Servers
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

Carl WebsterCitrix Technology Professional - FellowCommented:
Is the Web Interface in the DMZ?
Sam JacobsDirector of Technology Development, IPMCommented:
Is Web Interface installed on the CSG server?
Can you post screenshots of the output of the diagnostic report (you can blur sensitive info)?
Long LeAuthor Commented:
Hi Carl,

CSG  Server: Has WI and CSG Installed
CITRX 1: Has XenApp and WI Installed
CITRX 2: Has XenApp and WI Installed

Hi Sam,

Headed to the other office for a meet. I'll send a screen shot as soon as I get there.
Carl WebsterCitrix Technology Professional - FellowCommented:
Why is WI installed on the XenApp servers?
Sam JacobsDirector of Technology Development, IPMCommented:
The Citrix servers should not have WI installed on them.
Where is CSG pointing to for WI?
Long LeAuthor Commented:
Not exactly sure why WI is on the XenApp and CSG. Just trying to clean it up and make it a bit more secure. Currently they are Port Forwarding directly to the XenApp\Webserver Server. Found the CSG but wasn't fully configured so trying to get that up and running.
Carl WebsterCitrix Technology Professional - FellowCommented:
There is no need for WI on the XenApp servers and could present a security risk.
Long LeAuthor Commented:
I think the best bet it to just rebuild the whole Citrix Enviroment on Hyper V. Sound like I should spin up another server for WI and put it in the DMZ with the CSG?

DMZ:
CSG
WI

Lan:
XenApp1
XenApp2
Sam JacobsDirector of Technology Development, IPMCommented:
You can put both CSG and WI on the same server. If you have a second CSG/WI server, you could load-balance the two of them for failover..
Carl WebsterCitrix Technology Professional - FellowCommented:
Typically WI is installed on the same server as CSG (and makes it easier to configure in my opinion and one less server in the DMZ).

Unless Sam disagrees (Sam and I are friends and fellow CTPs), I would just uninstall WI and IIS from the existing XenApp servers to save you the trouble of building new servers and installing and configuring applications.
Sam JacobsDirector of Technology Development, IPMCommented:
This is going back quite a while, but if I remember correctly, uninstalling IIS from a XenApp server can sometimes cause issues with the XML service.
I would suggest just leaving it, and building a second CSG/WI in the DMZ (for load-balancing and failover).

Better yet, I would highly suggest upgrading to StoreFront and NetScaler Gateway for security reasons.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Carl WebsterCitrix Technology Professional - FellowCommented:
I agree since XenApp 6.5 and WI and CSG are all out of support.
Long LeAuthor Commented:
Hi all,

Thanks to your help guys I was able to get the server working as intended. I am putting into budget to get us up to the latest Version of Citrix. I saw the Citrix Workspace demo video and was drooling. lol.
Long LeAuthor Commented:
With your recommendations I set it up like this:

DMZ:
Server 1: CSG and WI

LAN:
Server 2: XenApp
Server 3: XenApp

I had to update some access rules on firewall to allow for communications from DMZ to LAN.
Sam JacobsDirector of Technology Development, IPMCommented:
I would recommend setting up another CSG/WI server in the DMZ to eliminate the single point of failure.
You could use either a hardware device or NLB to load-balance the two.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.