CSG has been updated to version 3.2 in Feature Pack 3. To start the installation of CSG 3.2 click Start -> Run, type in "c:\fp3\Secure Gateway\Windows\CSG_GWY.msi" and press Enter (Figure 10-87).
Click Next (Figure 10-88).
Select I accept the license agreement and click Next (Figure 10-89).
Select Secure Gateway and click Next (Figure 10-90).
Click Next to accept the default installation folder (Figure 10-91).
Citrix Best Practice is to place the Secure Gateway/Web Interface server in the DMZ and the server should not be a domain member. Since this server is an Internet facing server it should be protected by all means possible. This includes using an account that has the least possible privileges and not putting the server on your internal network.
On the Service Account page you have the option of running the Secure Gateway service under Local System or Network Service accounts. What is the difference and which one should be chosen? According to http://msdn.microsoft.com/en-us/library/ms684190(VS.85).aspx, the Local System account runs at a very high privilege level. The article recommends using the Network Service account if a high privilege level is not needed. The Secure Gateway service does not need, and should not be given, such a high privilege level. According to http://msdn.microsoft.com/en-us/library/ms684272(VS.85).aspx, the Network Service account has very few privileges. You should seriously consider using the Network Service account for the Secure Gateway service. It is very odd that this important decision is barely mentioned in the Secure Gateway for Windows Administrator's Guide or any Citrix Support Tech Notes.
Using the Network Service account reduces the attack surface should your Secure Gateway/Web Interface server be hacked. Since this account has no domain privileges it will make it harder for an attacker to compromise your domain.
If you do decide to place the Secure Gateway/Web Interface server on your internal network, then you must use the Network Service account.
Select NETWORK SERVICE from the dropdown list and click Next (Figure 10-92).
Verify the install options (Figure 10-93). If any corrections need to be made, click Back and make the necessary corrections. If everything is correct, click Next.
Click Finish (Figure 10-94).
Click OK to start the Secure Gateway Configuration wizard (Figure 10-95).
Click OK to start configuring Secure Gateway (Figure 10-96).
The Standard configuration does not allow us to set, or verify, all the necessary options. Select Advanced and click Next (Figure 10-97).
Select your SSL certificate and click Next (Figure 10-98). Click View... to view the information about your certificate. This is the same information that was seen in Figures 10-83, 10-84 and 10-85.
For "Select secure protocol", select Secure Sockets Layer (SSLv3) and TLSv1. For "Select cipher suite", select All and click Next (Figure 10-99).
If you have a single network card with a single IP address, you can select Monitor all IPv4 addresses (Figure 10-100). If you have multiple network cards and or multiple IP addresses on this server, unselect Monitor all IPv4 addresses, click Add and add the network interface(s) you wish to monitor for TCP port 443 traffic.
Secure Gateway will handle all TCP port 443 traffic and IIS handles SSL traffic on TCP port 444 (or whatever you selected earlier). Enter 443 for the TCP port and click Next.
Note: IPv6 is only supported under Windows Server 2008.
Select No outbound traffic restrictions and click Next (Figure 10-101).
The Secure Ticket Authority (STA) is installed on every XenApp server. If you have multiple XenApp servers enter as many XenApp servers as you like to provide failover. Best practice is to list a dedicated Most Preferred Data Collector and backup Data Collector.
Click Add (Figure 10-102).
Note: Secure Ticket Authority (STA) is part of the XML Service that runs on all XenApp servers.
Enter citrixone for the Fully Qualified Domain Name (FQDN) and click OK (Figure 10-103).
Click Next (Figure 10-104).
By default, Secure Gateway is limited to 250 concurrent connections. I would not recommend increasing this limit. If you need more than 250 concurrent connections you should seriously consider Citrix's hardware solution the Citrix Access Gateway.
Accept the defaults and click Next (Figure 10-105).
If you have any hardware load balancing appliances in front of your Secure Gateway/Web Interface server, enter the IP addresses here to exclude them from generating event log entries and click Next (Figure 10-106).
Since the Secure Gateway and Web Interface are installed on the same server, select Indirect:..., check Installed on this computer and click Next (Figure 10-107).
Select the level of logging you wish to receive from the Secure Gateway service and click Next (Figure 10-108).
Check to Start the Secure Gateway service and click Finish (Figure 10-109).
Exit the Explorer windows and the Citrix XenApp installation program.
- Please click the desired page number to continue reading: