Filename: Readme.txt For: Citrix Secure Gateway for Windows, Version 1.0 Date: December 14, 2001 Languages: English only Copyright (c) 2001 Citrix Systems, Inc. All rights reserved. Introduction ______________ Citrix Secure Gateway for Windows is exciting new technology designed to provide SSL encrypted communications between a Citrix ICA Client and a MetaFrame server over public networks, such as the Internet. Citrix Secure Gateway functions as a secure Internet gateway between MetaFrame servers and ICA Client workstations. All data traversing the Internet, between the client workstation and the Secure Gateway server, is encrypted, ensuring privacy and integrity of the information flowing across the Internet. Important _________ Citrix Secure Gateway, Version 1.0 does not support hardware configured with multiple processors. Please ensure that you run Citrix Secure Gateway on single processor hardware. ---------------------------------------------------------------------- This README.TXT file includes the following information: * A description of the product documentation provided * Instructions about installing the Citrix Secure Gateway software * Late breaking information * Information about restrictions and known problems WHERE TO FIND DOCUMENTATION _____________________________ Your Citrix Secure Gateway distribution kit includes the following documentation in PDF format: * The Getting Started Guide gives a quick overview of what you need to do to install and run Citrix Secure Gateway software. * The Installation Checklist is a pre-installation worksheet that's designed to help you complete pre-installation tasks, and to collect the information you will need during installation of Citrix Secure Gateway. Citrix recommends that you fill out this checklist before you proceed with installation. * The Citrix Secure Gateway Administrator's Guide provides conceptual information, and detailed instructions on installing, configuring, and troubleshooting Citrix Secure Gateway. Adobe Acrobat Reader 4 or later is required to view documents in PDF format. If you do not have Adobe Acrobat installed, you can download a copy at no charge from http://www.adobe.com/. INSTALLATION INSTRUCTIONS __________________________ 1. Download Setupcsg100en.exe to your local hard drive. Setupcsg100en.exe, is a self-extracting archive. Run it to extract its contents to the default directory, c:\csginstall, or a directory that you specify. 2. The Citrix Secure Gateway introduction screen containing instructions for software installation and accessing electronic documentation appears. We recommend that you read the documentation and fill out the Installation Checklist before you install the Citrix Secure Gateway software. LATE BREAKING INFORMATION ___________________________ This section includes important last-minute notes and tips - PLEASE READ IT CAREFULLY BEFORE INSTALLING Citrix Secure Gateway. Citrix Secure Gateway performance benchmarks ---------------------------------------------- A typical installation of Citrix Secure Gateway on a 1GHz single-processor server with 512 MB of memory will support in the range of 1000-2000 simultaneous connections, depending on the usage profile of your Citrix MetaFrame servers. The Secure Ticket Authority (STA) is a lightly loaded service (ISAPI DLL), only used briefly during connection establishment, and has minimal system requirements above that required by Windows 2000 server and Internet Information Services. ICA Client compatibility -------------------------- The Citrix Secure Gateway product is compatible with SSL-enabled Citrix ICA Clients, version 6.20. At the time of this release, the following versions of Citrix ICA Clients for 32-bit Windows, Java, Linux, Solaris SPARC, and Macintosh platforms, are proven to be compatible with Citrix Secure Gateway v1.0 for Windows. Tested versions: * 32-bit Windows Version 6.20.985 * Java Version 6.20.1206 * Macintosh Version 6.20.127 * Linux Version 6.20.973 * Solaris SPARC Version 6.20.976 Check the Citrix Web site for details about availability of additional client platforms, and their compatibility with Citrix Secure Gateway. The latest ICA Client versions can be downloaded from the Citrix download site at http://www.citrix.com/download/ NFuse compatibility --------------------- Support for Citrix Secure Gateway on NFuse Web servers, Versions 1.51 and 1.60, is provided by installing NFuse Extensions, a software update for NFuse, that ships with Citrix Secure Gateway. This software update installs a sample Web site template that contains scripts to enable NFuse to support ticketing. Future versions of NFuse will natively support ticketing functionality required for Citrix Secure Gateway operation. Citrix recommends that you DO NOT install NFuse Extensions if you are using a version of NFuse later than 1.60. To upgrade your existing NFuse Web server (which has NFuse Extensions installed), to a version later than 1.60, you MUST disable NFuse Extensions, and use the native Citrix Secure Gateway support available. See the NFuse Administrator's Guide for more information. Using Citrix Secure Gateway in a non-English environment ----------------------------------------------------------- The following section lists issues with and recommendations for using Citrix Secure Gateway software in a non-English server environment: 1. Fully Qualified Domain Names (FQDNs) must be English strings. Citrix Secure Gateway has been internationalized, and can be installed and used on non-English Windows 2000 server platforms. To correctly configure Citrix Secure Gateway, you must use English FQDNs (Fully Qualified Domain Names). Current Internet standards and conventions restrict FQDNs to English language strings so that they can be properly resolved by participating Domain Name Servers. Both the hostname and domain name must be in English. 2. Secure Gateway Service configuration utility. The Secure Gateway Service configuration utility is Unicode aware and can be used to input foreign language strings for logging directory names. 3. Secure Ticket Authority The STA ID (a unique identification string for the server running the Secure Ticket Authority) configured through the Secure Ticket Authority configuration utility, must be English alphanumeric, uppercase characters only. 4. NFuse Extensions Sample Web site templates installed as part of NFuse Extensions, supplied with Citrix Secure Gateway v1.0 for Windows, are designed for use in an English language environment. To convert the sample Web site (that was installed with NFuse Extensions) to work in a different language, edit default.htm and applist.asp files to modify the requested character set. Edit the charset value as appropriate; for example, to display the sample Web site in a Japanese language environment set charset to: Using SSL accelerator cards with Citrix Secure Gateway -------------------------------------------------------- An SSL accelerator card is not necessary in a Citrix Secure Gateway deployment, and may not offer substantial advantages. Typical SSL accelerator cards only accelerate the initial SSL handshake, and not the bulk encryption process. KNOWN PROBLEMS ___________________ Compatibility issues with the ICA Win32 Client ================================================ ICA Win32 Client - problems with intermediate certificates ------------------------------------------------------------ The Citrix Win32 ICA Client version 6.20.985 has a known issue where it does not recognize server certificates issued by an intermediate Certificate Authority (CA). This issue will be resolved in a future ICA Client release. For more details, please refer to article CTX999239 at http://knowledgebase.citrix.com/. Problems with auto client reconnect feature --------------------------------------------- Auto Client Reconnect is enabled by default on the ICA Win32 Client (Version 6.20.985). However, this feature is not supported on Citrix Secure Gateway, Version 1.0. When an ICA connection is dropped, the error message, "Error in connection" prompting the user that the client will reconnect appears on the client device. As Citrix Secure Gateway does not support Auto Reconnect, attempts to reconnect will fail. In this situation, we recommend that the user cancel the dialog and reconnect to the required application through NFuse. This issue will be resolved in future ICA Client releases. Known problems with Secure Gateway Service ============================================ Secure Gateway configuration utilities take too long to validate FQDNs ---------------------------------------------------------------------- When you enter an FQDN in any of the Citrix Secure Gateway configuration utilities, the program tries to resolve the FQDN specified. This validation check may take some time depending on the efficiency of your network. The mouse pointer will change into an hourglass to indicate that the system is performing a validation check. Keepalive polls from load balancers are being logged as connections -------------------------------------------------------------------- This problem may be encountered when all of the following are true: 1. You are using an external load balancer to load balance a Secure Gateway server array; and 2. The load balancer is configured to poll port 443 on the Secure Gateway server to check if the server is alive; and 3. Logging level on the Secure Gateway server(s) is set to 3. If all of the above are true, then you may find that your log files are being filled up much too rapidly. As a work around, set the logging level on the Secure Gateway server to 1 or 2. Load Balancer does not report Active Sessions if they are idle ---------------------------------------------------------------- Some load balancers stop reporting active ICA connections flowing through them if the connections have been idle for a while. This is because of the way in which certain load balancers treat idle connections. Connections, which have been idle for a certain amount of time stop being represented as active connections in the load balancer's reporting tools even though they are still valid connections. The workaround is to configure Keepalive settings, in the Windows registry, on the Secure Gateway server(s). If you have a load balanced Secure Gateway server array, decrease the Keepalive values to force packets to be sent after a period of session inactivity. For more information on configuring Keepalive settings, see the Citrix Secure Gateway Administrator's Guide. Problems with NFuse Extensions =============================== NFuse Extensions always expects ICA port to be 1494 ----------------------------------------------------- If you configured your MetaFrame servers to listen for ICA connections on a port other than 1494, you must manually edit the template.ica file (the default path is ..\inetpub\wwwroot\csg\template.ica) used by NFuse to generate ICA files for clients connecting through Citrix Secure Gateway. Locate the entry below, and insert the port number (the default is 1494) with a value specific to your environment. Address=[NFuse_IPV4Address]:port number where, "port number" is the ICA port number your MetaFrame servers are configured to use. To put multiple instances of NFuse Extensions on a single Web server ---------------------------------------------------------------------- To run multiple NFuse Extensions Web sites on a single NFuse server, you must first install and configure a single Web site (default location is ..\inetpub\wwwroot\csg\). Next, duplicate the entire directory (containing the Web site) to create multiple sites. Finally, customize the configuration files, csg_conf.inc and template.ica in the respective Web site directories. Web-based ICA Client installation with Citrix Secure Gateway Web site ---------------------------------------------------------------------- When you install NFuse Extensions, a sample Web site template for Citrix Secure Gateway is created. This Web site contains scripting that checks for a compatible version of the ICA Client on the client device. Once a user logs in, an "Install Client" button becomes available on the Web page. Users, who do not have a compatible version of the ICA Client on their machines, are prompted to install the latest version available if the button is clicked. At this point, the user can click the "Install Client" hyperlink to install the latest version of the client. To enable users to download the latest client software from the Citrix Secure Gateway Web site on the NFuse server, you need to have copied the \ICAWEB directory from the ICA Client CD, which came with your MetaFrame XP distribution kit, to the ..\inetpub\wwwroot\citrix directory on your NFuse Web server. The ICA Client package is also available for download from the Citrix Web site, http://www.citrix.com/download/. See the NFuse Administrator's Guide for information about Web-based installation of ICA Client software. Important: Ensure that the ..\inetpub\wwwroot\citrix directory on the NFuse Web server contains versions of ICA Client that are compatible with Citrix Secure Gateway. Load-balancing Secure Gateway arrays ====================================== To achieve large scalability and fault tolerance, Citrix Secure Gateway uses the services of an external network load balancer. A Cisco CSS 11000 Series Content Services switch was utilized as the reference platform for development and testing of Citrix Secure Gateway. Note however that Citrix Secure Gateway should be compatible with any industry standard network load balancing device. Pubs Errata ______________ Page 40 of the Citrix Secure Gateway Administrator's Guide recommends selecting a bit length of 1024 or greater for the server certificate's encryption strength. However, for the following versions of ICA Clients, you need to specify a bit length of 1024 or less. * Macintosh Version 6.20.127 * Linux Version 6.20.973 * Solaris SPARC Version 6.20.976 This means that these versions of the clients will only connect to a Citrix Secure Gateway server on which a server certificate with a key length of 1024 or less is installed. Check the Citrix Web site for details about availability of additional client platforms, and their compatibility with Citrix Secure Gateway. The latest ICA Client versions can be downloaded from the Citrix download site at http://www.citrix.com/download/