In Part 2 of this 3-part article, you learned how to:
- Generate an SSL certificate request
- Purchase a Wildcard SSL Certificate from GoDaddy
- Complete the certificate request
- Test secure access to published applications
- Export the SSL Certificate's Private Key for use on additional servers
In Part 3, you will learn to install and configure Citrix Secure Gateway 3.1 and test external and internal secure access to published applications.
When you completed Part 2, you were at the server's desktop (Figure 1).
Double-click the CSG_GWY.msi file and click Next (Figure 2).
Select I accept the license agreement and then click Next (Figure 3).
Select Secure Gateway and then click Next (Figure 4).
Click Next to accept the default installation folder (Figure 5).
Citrix Best Practice is to place the Secure Gateway/Web Interface server in the DMZ and the server should not be a domain member. Since this server is an Internet facing server it should be protected by all means possible. This includes using an account that has the least possible privileges and not putting the server on your internal network.
On the Service Account page you have the option of running the Secure Gateway service under Local System or Network Service accounts. What is the difference and which one should be chosen? According to http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx, the Local System account runs at a very high privilege level. The article recommends using the Network Service account if a high privilege level is not needed. The Secure Gateway service does not need, and should not be given, such a high privilege level. According to http://msdn.microsoft.com/en-us/library/ms684272(VS.85).aspx, the Network Service account has very few privileges. You should seriously consider using the Network Service account for the Secure Gateway service. It is very odd that this important decision is not mentioned in the Secure Gateway for Windows Administrator's Guide or any Citrix Support Tech Notes.
Using the Network Service account reduces the attack surface should your Secure Gateway/Web Interface server be hacked. Since this account has no domain privileges it will make it harder for an attacker to compromise your domain.
If you do decide to place the Secure Gateway/Web Interface server on your internal network, then you must use the Network Service account.
Select NETWORK SERVICE from the dropdown list and then click Next (Figure 6).
Verify the install options (Figure 7). If any corrections need to be made, click Back and make the necessary corrections. If everything is correct, click Next.
Click Finish (Figure 8).
- Please click the desired page number to continue reading: