To start the installation of CSG change the VM’s DVD Drive to the XenApp 5 ISO file (Figure 87).
The XenApp 5 installation starts. Click Browse Media (Figure 88).
Double-click Secure Gateway (Figure 89).
Double-click Windows (Figure 90).
Double-click the CSG_GWY.msi file and click Next (Figure 91).
Click Next (Figure 92).
Select I accept the license agreement and then click Next (Figure 93).
Select Secure Gateway and then click Next (Figure 94).
Click Next to accept the default installation folder (Figure 95).
Citrix Best Practice is to place the Secure Gateway/Web Interface server in the DMZ and the server should not be a domain member. Since this server, outside of this Learning series, is an Internet facing server it should be protected by all means possible. This includes using an account that has the least possible privileges and not putting the server on your internal network.
On the Service Account page you have the option of running the Secure Gateway service under Local System or Network Service accounts. What is the difference and which one should be chosen? According to http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx, the Local System account runs at a very high privilege level. The article recommends using the Network Service account if a high privilege level is not needed. The Secure Gateway service does not need, and should not be given, such a high privilege level. According to http://msdn.microsoft.com/en-us/library/ms684272(VS.85).aspx, the Network Service account has very few privileges. You should seriously consider using the Network Service account for the Secure Gateway service. It is very odd that this important decision is not mentioned in the Secure Gateway for Windows Administrator's Guide or any Citrix Support Tech Notes.
Using the Network Service account reduces the attack surface should your Secure Gateway/Web Interface server be hacked. Since this account has no domain privileges it will make it harder for an attacker to compromise your domain.
If you do decide to place the Secure Gateway/Web Interface server on your internal network, then you must use the Network Service account.
Select NETWORK SERVICE from the dropdown list and then click Next (Figure 96).
Verify the install options (Figure 97). If any corrections need to be made, click Back and make the necessary corrections. If everything is correct, click Next.
Click Finish (Figure 98).
Click OK to start the Secure Gateway Configuration wizard (Figure 99).
- Please click the desired page number to continue reading: