Citrix Web Interface 4.6 is an ASP.Net 2.0 application that provides
access to Citrix Published Applications via a web browser. When deployed
by itself, Internet Based users require direct ICA (TCP Port 1494) or
Common Gateway Protocol (TCP Port 2598) Communication with each Citrix
Server hosting their published applications. Since this involves
allowing secure communications from the Public Internet into the Private
Network and opening firewall ports. Additionally it requires that the
client can successfully communicate over ports 1494 or 2598.
Citrix Secure Gateway 3.0 (CSG) is a Reverse Proxy that provides
secure remote access to Citrix Published Applications over SSL (TCP Port
443). When deployed in a DMZ it solves the security and access problems
previously listed, i.e. the client only needs to be able to contact the
CSG over port 443 and the CSG communicates on behalf of the clients
with the Citrix Servers on the Private Network. No communication happens
between the Public Internet and Private/Corporate Network.
Both Citrix Web Interface and Secure Gateway are available to Citrix
Presentation Server Customers via http://www.mycitrix.com.
Software pre-requisites (for the machine to host Web Interface 4.6
and Secure Gateway 3.0):
- Windows Server OS, i.e. 2003 Web or 2003 Standard Edition.
- IIS w/ ASP.Net
- Net Framework 2.0
- Microsoft Visual J# Version 2.0 Redistributable Package
- Access Management Console for Presentation Server 4.5
- Web Interface 4.6 Access Management Console Extension
- 3rd Party SSL Server Certificate (i.e. from Verisign, Thawte,
- Server capable of running Windows Server OS w/ IIS
- Firewall with DMZ an available DMZ Port
Web Interface 4.6 for Windows - Installation and Configuration
The initial installation and configuration of the Web Interface /
Secure Gateway Server should be performed on the Private Network, to
ensure that all components are working properly before moving the server
to the DMZ. Since the server’s final destination is in the DMZ, the
server should NOT be a domain member.
After installing software pre-requisites 1 through 6, download and
launch the Web Interface installation program
(WebInterface.exe). Install Web Interface and accept the defaults.
Download the Citrix Web Client and place ica32web.msi in “
Download the Citrix Java Client and place the components in “
Launch the Access Management Console (AMC). The first time the AMC is
run, discovery is performed to identify the components that will be
Select the option, “Do not contact servers running the configuration
service”, unless you want to centrally store the Web Interface
Configuration (refer to the Web Interface Administrators Guide).
After the discovery process completes, right click on the Web
Interface node on the left pane of the
AMC -> Select “Create
Select the default option for Site Type (Access Platform Site).
On the Specify IIS Location step of the site creation, check the
option “Set as the default page for the IIS site”. Accept the defaults
for the rest of the Create Site process.
After the site is created, the initial settings must be
configured. On this screen, enter the name of the Citrix Farm, then
enter at least one server from the Citrix Farm with which the Web
Interface will communicate. The Web Interface communicates with the XML
Service on the configured Citrix Server via the Farm XML Port (80 is the
default). Refer to the Citrix Server Farm Properties in the
Presentation Server Console if unsure what port number to enter.
Best practice would be to enter at least two XML Servers (for
redundancy) and to enter Citrix Servers configured as Data
Collectors. When a user enters their credentials to log on to the Web
Interface, the Web Interface communicates with the XML Service to
authenticate the user and return the Application Set for that user.
XML Servers can be entered as their NetBIOS, FQDN or IP Address,
depending on which name resolution mechanism is in place. Since the
server will end up in the DMZ, entering the IP Address requires the
fewest open ports (between the DMZ and Private Network).
On the “Select Application Type” screen, select “Remote”, unless you
plan to use the Presentation Server 4.5 Application Streaming Feature to
stream applications to client computers. Accept the defaults for the
remainder of the Initial Configuration Wizard.
At this point the Citrix Web Interface is ready to be tested, to
ensure that it’s been configured correctly. To test that the Web
Interface is working, open Internet Explorer on the Web Interface Server
and browse to
http://localhost. Without any further
configuration, one should be able to successfully log on and launch
applications from the configured Citrix Farm.
After successfully entering logon credentials, one should be
presented with the following Citrix Client Detection Wizard (if no
Citrix Client is installed).
Clicking the “Detect Client” button initiates a scan to check the
client computer for an installed Citrix Client. If no client is
detected, the user is presented with the following screen where the
Citrix Web Client installation can be started.
If the end user clicks the “Download” button, the Citrix Web Client
installation package is loaded from “C:\Program Files\Citrix\Web
Interface\4.6\Clients\ica32\ica32web.msi” on the Web Interface Server.
Click “Run” and proceed with the Client Installation. After the
installation is complete, the end user is presented with the following
Click “Successful” to be taken to the client’s application set.
Click on one of the applications. If the application launches, the
basic configuration of Citrix Web Interface was successful. The next
step is to obtain an SSL Server Certificate which will be used by Citrix
SSL Server Certificate Configuration
Since Citrix Secure Gateway is used to provide secure remote access, a
Trusted 3rd Party SSL Server Certificate is required. To obtain the
certificate, launch Computer Management and navigate to Services and
Applications -> Internet Information Services (IIS) Manager -> Web
Sites -> Default Web Site -> Properties -> Directory Security.
Click on the “Server Certificate” button to start the “Web Server
Certificate Wizard”. Select “Next -> Create a new certificate ->
Prepare the request now, but send it later.
In the name field, enter a friendly name that accurately describes
what the certificate will be used for, i.e. “Citrix Secure Gateway”.
The information on the Organization Information page is what will
display on the SSL Certificate when viewed by the end user.
The Site Common Name is the most important piece of information that
is entered. It MUST match the Fully Qualified Domain Name that will be
addressed by the end user. It need not be the same as the NetBIOS Name
of the Server, but DNS must be configured to resolve this name to the
server being configured.
On the Geographical Information Screen it is important that the
“State/province” be completely spelled, as the request will not be
accepted by the 3rd Party Certificate Authority if the State/province is
The information entered in the IIS Certificate Wizard outputs to a
text file, whose content is submitted to the 3rd Party Certificate
Authority via their online certificate purchase form.
After purchasing the SSL Server Certificate from your preferred
Certificate Authority, the Certificate needs to be installed on the Web
Interface / Secure Gateway Server. The following steps may differ
slightly, depending on the vendor, but in this example we’ll use
certificates from GoDaddy.com. GoDaddy supplies two certificates, an
Intermediate Certificate Authority and the SSL Server Certificate that
was purchased. Per the instructions from the vendor we open the
Certificates Management Console via Start -> Run -> MMC -> File
-> Add/Remove Snap-in -> Add -> Certificates -> Add ->
Computer Account -> Next -> Local Computer -> Finish.
Right click on the “Intermediate Certification Authorities”, navigate
to All Tasks -> Import -> Browse and select the Root Certificate
supplied by the vendor.
Click Next and Accept the Default Location of Intermediate
Click Next to Complete the Certificate Import.
Open IIS Manager -> Web Sites -> Default Web Site ->
Properties -> Directory Security -> Server Certificate.
Click “Next” to continue with the Web Server Certificate Wizard.
Select “Process the pending request and install the certificate”.
Click “Next” to continue.
Browse to, or enter the path to the downloaded SSL Server
Certificate. Click “Next” to continue.
Change the “SSL port this web site should use” from 443, to 444 or
another unused port. It is very important NOT to accept the default port
of 443, as this port will be used by Citrix Secure Gateway.
To test that the SSL Certificate has been properly installed and that
IIS has been configured correctly, restart IIS via “Start -> Run
-> cmd -> IISRESET”. After IIS restarts, browse to
is NOT the URL clients will enter, as they will connect to the Citrix
Secure Gateway on the standard HTTPS Port (443). This is only being done
to ensure that the certificate was properly installed and that the
Citrix Web Interface still works. A DNS Host (A) or Alias (Cname) record
must be configured to resolve the Fully Qualified Domain Name to the IP
Address of the server being configured for the web page to display
In part two of this article we’ll go over the installation and
configuration of Citrix Secure Gateway, as well as the required firewall
In part one of this article it was described how to do a basic
installation of Citrix Web Interface 4.6 and how to request and install a
3rd Party SSL Server Certificate. Part two describes how to install and
configure Citrix Secure Gateway 3.0 on the same server, so Internet
Users can securely connect to Citrix Servers on a private network.
- Configured and tested (on the private network) Citrix Web Interface.
- Installed 3rd Party SSL Server Certificate.
- IIS HTTPS Port configured on a port OTHER THAN 443, i.e. 444.
- Citrix Presentation Server Components CD, or access to download
Secure Gateway 3.0 from www.mycitrix.com.
- Firewall with a DMZ Port.
- Connectivity to at least one Citrix Secure Ticket Authority
(built into the XML Service on Presentation Server 4.x).
Now that Citrix Web Interface 4.6 has been installed and tested and
the SSL Server Certificate has been installed, it is time to install
Citrix Secure Gateway 3.0. It’s best to keep the server on the private
network until the complete system has been tested, to simplify
troubleshooting, as one should not have to worry about the correct
firewall ports being open.
Access the Citrix Presentation Server Components CD, or download
Secure Gateway 3.0 from www.mycitrix.com. To begin the setup, double-click
Click “Next”, read and accept the License Agreement.
Select “Secure Gateway” and click “Next”.
Accept the default “Destination Folder” and click “Next”.
On the Service Account selection screen, select “NETWORK SERVICE” and
Review the Installation Selections and click “Next” to begin the
If the installation was successful, this screen is displayed.
To begin the configuration of Citrix Secure Gateway, click “OK” to
launch the “Secure Gateway Configuration Wizard”.
Select ONLY the option to secure “MetaFrame Presentation Server”,
then click “OK”.
Select the “Advanced” configuration type, then click “Next”.
Select the SSL Server Certificate that was installed in part
one. Click “View” to verify that the correct certificate has been
The items to review are outlined in red on the picture shown above:
- "Issued to:" MUST be the FQDN (Fully Qualified Domain Name) that end
users will type in their Internet Browser to address the Secure
- "Valid from" MUST be a current date range.
- The bottom of the General tab MUST read “You have a private key
that corresponds to this certificate.” If this is not displayed the
certificate may have been copied from another server, where is MUST be
exported to a .PFX file, including the Private Key. This can be
accomplished with the Certificates MMC on the original server.
On the “Configure secure protocol settings” screen, accept the
default options and click “Next”.
Assuming your server has only one active Network Interface, accept
the default option to “Monitor all IP addresses” and listen on TCP port
443. Click “Next” to continue.
On the “Configure outbound connections” screen, accept the default
and click “Next” to continue.
On the “Details of the server running the Secure Ticket Authority
(STA)” screen, click the “Add” button.
On the “Secure Ticket Authority (STA) details” pop-up, enter the FQDN
of a Citrix Server. This is typically a Zone Data Connector, and the
same server that is listed in the Farm XML Servers in the Web Interface
Configuration. If the Citrix Farm is configured to use anything but the
default TCP Port of 80, append the port number to the FQDN, preceded by a
colon, i.e. “ctxs-cps.scs.local:8080”. If it is a requirement to secure
traffic between the Secure Gateway and STA, check the checkbox in the
“Protocol settings” section and enter the appropriate TCP Port. This
requires an SSL Server Certificate on the server hosting the STA.
For redundancy, a secondary and tertiary STA can be added by
repeating the previous step. When done, click “Next” to continue.
On the “Connection parameters” screen, accept the default options,
and click “Next” to continue.
If you are load balancing connections to the Secure Gateway, add the
IP Address of the device on the “Logging Exclusions” screen, otherwise
click “Next” to continue.
Assuming Secure Gateway is on the same server as the Citrix Web
Interface, accept the default “Indirect” radial button and the default
“Installed on this computer” checkbox. If Secure Gateway will be used
with a Web Interface Server hosted on a different server, de-select
“Installed on this computer” and enter the FQDN of the Web Interface
Server in the “Details” section.
Select the desired amount of “Logging parameters” and click “Next” to
Click “Finish” to start the Secure Gateway service.
Open the “Secure Gateway Management Console” and click “Secure
Gateway Diagnostics” to verify that the setting selected in the
configuration wizard are valid.
Launch the Web Interface Console (via the Access Management
Console). Right-click the Web Interface Site -> Manage secure client
access -> Edit Gateway settings.
Enter the FQDN of the Secure Gateway Server that was just configured,
then add the URL to the Secure Ticket Authority, as shown in the
picture above. Initially, leave session reliability disabled, until
Secure Gateway and Web Interface have been tested and the latest hotfix
has been applied to Secure Gateway. Click “OK”.
Right-click the Web Interface Site -> Manage secure client access
-> Edit DMZ settings.
Edit the “Default Client IP address” setting and select “Gateway
Direct”, so clients will access the Presentation Server Farm via the
Secure Gateway, instead of being delivered ICA files that include the
Private IP Address of the target Citrix Server. Click “OK”.
Since the Secure Gateway is still on the Private Network, edit the
hosts file (%WinDir%\system32\drivers\etc\hosts) on a test client
workstation and add an entry for the FQDN that’s listed on the SSL
From the test client workstation, open an Internet Browser and
address the FQDN of the Secure Gateway, i.e.
Since IIS is NOT listening on port 443, and Secure Gateway is, Secure
Gateway should automatically proxy the request to the Web Interface
Login Page. The page should display the SSL Secured (128 Bit) icon on
the Internet Browser’s Status Bar (shown above).
Launch a Published Application via the Web Interface and verify in
the Program Neighborhood Connection Center that the application was
launched via the Secure Gateway. This is distinguished via the Black
Lock on the Application Set, under ICA Connections. Additionally,
viewing the properties of the connection displays the Encryption Level
as “128 Bit SSL/TSL in use” (shown above).
Additionally, this can be confirmed via “Session Information” in the
Secure Gateway Management Console, which displays the Client IP, User,
Domain, Time Established and Time Elapsed.
Now that the configuration has been tested, download the latest
hotfix for Secure Gateway 3.0, currently SGE300W800. This
is a cumulative hotfix that contains all of the fixes from hotfixes
SGE300W001 thru SGE300W007.
Logoff all Secure Gateway Sessions and launch SGE300W800.MSI. Click
“Next” to continue.
If the error shown above is encountered during the installation of
hotfix SGE300W800.MSI, search %SystemDrive% for “msvcr71.dll”.
Paste the dll in %WinDir%\System32, and click “Retry” to start the
Secure Gateway Service.
Click “Finish” to complete the hotfix installation.
Installation of this hotfix requires a restart, so click “Yes” to
restart the Secure Gateway Server.
After the system restarts, re-test launching applications via the
Secure Gateway URL and Web Interface. If the applications launch
successfully, enable Session Reliability in the Web Interface Console
-> Web Interface Site -> Right-Click -> Manage secure client
access -> Edit Gateway settings, if so desired. Enabling Session
Reliability changes the communication protocol between the Secure
Gateway and Citrix Presentation Servers from TCP Port 1494 (ICA –
Independent Computing Architecture) to TCP Port 2598 (CGP – Common
Updates from hotfix SGE300W003, included in SGE300W800, allow one to
display more columns in the Secure Gateway Management Console. The
Server, Application and Session Idle Time columns can be enabled in the
Secure Gateway Management Console by adding the following registry
entries on the Secure Gateway Server.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Citrix Secure Gateway\3.0]
Now that Secure Gateway and Web Interface have been tested on the
private network, it is time to move the machine to the DMZ and
re-test. When the machine is connected to the DMZ, the Public DNS A
(Host) Record will need to be updated or added for the Secure Gateway,
so the machine can be addressed via FQDN by Internet Users.
Required Firewall Rules
- Internet to DMZ (Secure Gateway Server) – Allow TCP Port 443.
- DMZ (Secure Gateway Server) to Private Network (STA & XML
Service) – Allow TCP Port 80, or Farm XML Service Port, or TCP Port 443
if Securing STA Traffic via SSL.
- DMZ (Secure Gateway Server) to Private Network (Citrix
Presentation Servers) – Allow TCP Port 1494 (without Session
Reliability), or TCP Port 2598 (with Session Reliability).
Below is an example diagram of a Citrix Farm configured to use Secure
Gateway and Web Interface as described in this article.
Citrix Web Interface 4.6 and Citrix Secure Gateway 3.0 can happily
reside in the DMZ on one Windows Server, with one IP Address, and one
SSL Server Certificate. There are other configurations that can be used,
depending on your security requirements. Refer to the Administrators
Guide and Troubleshooter’s Guide for documentation on alternate