
	Related Articles Documenting a Citrix XenApp 5 Farm with Microsoft PowerShell and Word – Version 2 Documenting a Citrix XenApp 6.5 Farm with Microsoft PowerShell and Word – Version 3.1 Java Runtime Installation Failure (Error 1330) Updated June 30, 2011 for JRE Update 26 Adding an SSD Storage Device to Citrix XenServer Fixing a Broken Delivery Services Console on Citrix XenApp 5 for Windows Server 2003


	About Carl Webster Webster is an independent consultant specializing in Citrix, Active Directory and Exchange. Webster has been working with Citrix products for over 18 years starting with Multi-User OS/2. Webster has led complex projects for key customers in multiple industries, including medical suppliers, direct mail providers, sports marketing, a major grocery chain and large regional medical facilities.


	Virtualization Podcasts GreenBytes and Desktone: On-Premises, Cloud-Managed Virtual Desktops Podcast with Stephen O’Donnell and Danny Allan - May 13, 2013 Episode 178


	DABCC TV-Videos LogicMonitor: SaaS Performance Monitoring Video Podcast with Steve Francis - Episode 44

In Part 2 of this 3-part article, you learned how to:

Generate an SSL certificate request
Purchase a Wildcard SSL Certificate from GoDaddy
Complete the certificate request
Test secure access to published applications
Export the SSL Certificate's Private Key for use on additional servers

In Part 3, you will learn to install and configure Citrix Secure Gateway 3.1 and test external and internal secure access to published applications.
When you completed Part 2, you were at the server's desktop (Figure 1).

Figure 1

Double-click the CSG_GWY.msi file and click Next (Figure 2).

Figure 2

Select I accept the license agreement and then click Next (Figure 3).

Figure 3

Select Secure Gateway and then click Next (Figure 4).

Figure 4

Click Next to accept the default installation folder (Figure 5).

Figure 5

Citrix Best Practice is to place the Secure Gateway/Web Interface server in the DMZ and the server should not be a domain member. Since this server is an Internet facing server it should be protected by all means possible. This includes using an account that has the least possible privileges and not putting the server on your internal network.

On the Service Account page you have the option of running the Secure Gateway service under Local System or Network Service accounts. What is the difference and which one should be chosen? According to http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx, the Local System account runs at a very high privilege level. The article recommends using the Network Service account if a high privilege level is not needed. The Secure Gateway service does not need, and should not be given, such a high privilege level. According to http://msdn.microsoft.com/en-us/library/ms684272(VS.85).aspx, the Network Service account has very few privileges. You should seriously consider using the Network Service account for the Secure Gateway service. It is very odd that this important decision is not mentioned in the Secure Gateway for Windows Administrator's Guide or any Citrix Support Tech Notes.

Using the Network Service account reduces the attack surface should your Secure Gateway/Web Interface server be hacked. Since this account has no domain privileges it will make it harder for an attacker to compromise your domain.

If you do decide to place the Secure Gateway/Web Interface server on your internal network, then you must use the Network Service account.
Select NETWORK SERVICE from the dropdown list and then click Next (Figure 6).

Figure 6

Verify the install options (Figure 7). If any corrections need to be made, click Back and make the necessary corrections. If everything is correct, click Next.

Figure 7

Click Finish (Figure 8).

Figure 8

Please click the desired page number to continue reading:
1
2
3
4
Next

White Paper: Atlantis ILIO Diskless VDI for VMware View

Sponsored Link: Immidio AppScriber – application self-assignment -download free trial

Article Tags

Citrix Secure Gateway Support and Training Resources

Citrix Support and Training Resources

Citrix XenApp (Presentation Server) News, Support and Training Resources

Web Interface Support and Training Resources

Webster’s Presentation Virtualization Tips and Tricks from the Trenches

Article Comments

posted by Guest - 07/29/2009

Secure XML access to the XenApp servers

Thanks for the great guide. I've installed, setup and tested a successfull installation using these methods. However i'd now like to look at securing the XML communication from the CSG in the DMZ to the XenApp servers. I'd have thought it would be as easy as to installi a certificate on the CSG and the Root cert on the XenApp servers then changing the WI to communicate via using HTTPS (port443 - shared on the XenApp servers).

Alas I can't get that working but instructions on that would make a nice accompanyment to this article.

MattH

» reply

posted by Carl Webster - 03/26/2009

Domain server

Yes it can be. It is just not recommended. Just take the necessary precautions.

I would recommend just making the server a member of a workgroup called DMZ and placing it on your local lan. Not the safest thing to do or the safest place for the server but it will work. This is how my server is setup in my lab environment. It works, but again, it is not recommended.

» reply

posted by Guest - 03/26/2009

Secure Gateway Guide

Carl - thanks for a great guide....(I look forward to implementing it in the near future)...but my DMZ knowledge is ZERO... can the server be part of the domain and accessed via open firewall ports...

Thanks Again

Jasono

» reply

Submit a Comment

DABCC User:
Guest
Subject:
Message:
Image Code: