Part 1 the Citrix Secure Gateway.

The need for working remote is growing every year, but no company wants to connect their Xenapp or Xendesktop servers directly to the internet. This is where a gateway solution comes into the picture. Citrix understands this like no other and has provided quite a few possibilities to reach the virtual desktop on a secure and easy way. Basically there are 3 different types of a gateway available from Citrix.

The first one to be discussed here is the Secure Access Gateway. In Part 2 and Part 3 of my blog I will focus on the other two types.

 

Secure Gateway

This gateway is the oldest supported Gateway made available by Citrix. It can give you access to published desktops and applications in a Citrix environment. Based on the best remote connection protocol ever, ICA. That’s it, nothing more and nothing less. But it is very effective in doing so.

What do I need to run a Secure Gateway in my Xenapp en Xendesktop environment ? Well the software to install the gateway runs on a Microsoft Windows Server. The best place to put this server is in the DMZ. Off course this server doesn’t need to be a real server, a virtual server also runs fine.

The features offered by this gateway are:

Designed-in security

The Secure Gateway provides authentication, authorization, and cryptography functionality that is consistent with Microsoft’s best practices for secure software.

Network protocol support

The Secure Gateway supports the TCP/IP protocols, such as FTP, HTTP, and Telnet.

IPv4 and IPv6 protocol support

The Secure Gateway can be configured to accept inbound connections from clients using IPv4 and IPv6 addresses.

Secure Socket Layer support

The Secure Gateway provides SSL support to secure communication between the client and the Secure Gateway components.

Simple deployment

Citrix XenApp includes the Secure Ticket Authority (STA) and is merged into a single Windows Installer package resulting in a more efficient deployment. The STA is deployed automatically on the same computer as Citrix XenApp, resulting in a reduction of the number of computers required for basic deployment Internet Information Server is no longer a requirement for installing the STA Internet Information Server deployment is a supported option during installation of Citrix XenApp.

Certificate management

The Secure Gateway Configuration wizard prevents the selection of a certificate that does not have a private key and verifies that the appropriate certificate is installed in the local computer certificate store. Wildcard certificate support. Wildcard certificates can be deployed on the Secure Gateway, the Secure Gateway Proxy, and on the computer where Citrix XenApp is hosting the STA.

Load balancing

The Secure Gateway provides load balancing for the Secure Gateway Proxy. IP addresses are retrieved from the DNS using a domain name or listed individually.

Logging

The Secure Gateway uses the Apache standard access log files and supports log rotation functionality for the access log files. The access log files provide connection information to the Secure Gateway or the Secure Gateway Proxy.

Instrumentation

The Secure Gateway includes a new set of performance counters to analyze the usage and load on the Secure Gateway server.

Based on Apache Technology

The software code based on Apache technology is used as a foundation for building the Secure Gateway.

Section 508 compliance

Secure Gateway is compliant with Section 508 of the United States Workforce Rehabilitation Act of 1973.

Session reliability

Improvements in session reliability benefit both mobile and local users by having their work items remain open when network connectivity is lost, and then seamlessly resumed when connectivity is restored. This feature is especially useful for mobile users with wireless connections that are interrupted or dropped. When a session connection is interrupted, all open windows to published resources remain visible while reconnection is attempted automatically in the background.

Relay mode

Secure Gateway can be installed in relay mode for internal secure communications. Relay mode can be used in secure corporate environments such as intranets, LANs, and WANs. Relay mode is not recommended for external connections from the Internet to a server farm or server access farm.

Supports single-hop or double-hop DMZ deployment

The Secure Gateway can be installed to span a single-hop or a double-hop DMZ. If your DMZ is divided into two stages, install the appropriate Secure Gateway component in each DMZ segment to securely transport HTTP/S and ICA traffic to and from the secure network.

Supports secure communication between the Secure Gateway components

The Secure Gateway components support the use of digital certificates and the task of securing links by using SSL/TLS between components.

Configuration, management, and diagnostic tools

The Secure Gateway Management Console is a Microsoft Management Console (MMC) snap-in you can use to manage, analyze, and troubleshoot a Secure Gateway deployment. The Secure Gateway Diagnostics tool, available from the Secure Gateway Management Console, reports configuration values, certificate details, and the state of each configured component.

Minimal client configuration

Client devices require no preinstalled software for security. Remote, secure access is easy to support, requiring little effort from IT staff.

Certificate–based security

The Secure Gateway uses standard Public Key Infrastructure (PKI) technology to provide the framework and trust infrastructure for authentication and authorization.

Standard encryption protocols

The Secure Gateway uses industry-standard SSL or TLS encryption technology to secure Web and application traffic between the client and server. Connections between clients and the Secure Gateway are encrypted using SSL or TLS protocols. You can further enhance security by forcing the Secure Gateway to restrict its use of ciphersuites to commercial or government ciphersuites certified for Federal Information Processing Standard (FIPS) 140 requirements.

Authentication and authorization

The Secure Gateway works with the Web Interface to facilitate authentication of users attempting to establish connections to a server farm. Authorization occurs when the Secure Gateway confirms that the user is authenticated by the enterprise network. The authorization process is entirely transparent to the user.

Single point of entry

The need to publish the address of every Citrix XenApp server is eliminated and server certificate management is simplified. The Secure Gateway allows a single point of encryption and access to computers running Citrix XenApp.

Firewall traversal

Connections from clients are secured with standard protocols using ports typically open on corporate firewalls. This allows easy traversal of firewalls without custom configuration.

Ease of installation and management

Adding the Secure Gateway to an existing server farm is relatively quick and simple, and requires minimal configuration, significantly reducing time and management costs.

Reliability and fault tolerance

The solution allows implementation of duplicate components to enable a redundant system. Large arrays can be built using industry-standard SSL load balancing systems for scalability. Even if hardware fails, the server farm remains protected.

Scalable and extensible solution

A single server running the Secure Gateway can support a small corporate site consisting of hundreds of users. You can support medium to large sites catering to thousands of users connecting to an array of load balanced servers running the Secure Gateway. The Secure Gateway components do not require special hardware devices or network equipment upgrades.

Event and audit logging

Critical and fatal system events are logged to the Secure Gateway application log, enabling administrators to help diagnose system problems. Logging levels are configurable and can be set from the user interface. Depending on the configured logging level, you can retrieve a complete record of network connection attempts to the Secure Gateway. You can also configure the Secure Gateway to omit log entries for polls from network equipment such as load balancers.

En the best part of it is that the Secure Gateway is free and only requires a Windows Server. To run. Offcourse you still need the “other” stuff like a Webinterface server and Xenapp servers. In the next Part I will discuss the Citrix Access Gateway standard edition.

Arjan Beijer