citrix secure gateway 3.2 manual

A better way to tailor solutions to our customer’s needs. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. Search by entering one or more keywords in the search field above Since our founding almost fifteen years ago, we’ve been driven by the idea of finding a better way. A better way to provide authentication on the internet. A better way to tailor solutions to our customer’s needs. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. CSG allows clients to make secure connections to our XenApp servers from the Internet without the use of a VPN. I will be using the versions of CSG and WI that are provided with Citrix XenApp 6 and I’ll be installing them on Windows Server 2008 R2. The server will be set up in a DMZ and will not be a member of my Active Directory domain. Click here for details on how to install XenApp 6. Also you’ll need to make sure and publish an application on your XenApp server, you can find details in this post.IIS will be enabled automatically for you. Any ideas? Also make sure that the port the XML service uses on the XenApp server is available through your firewall to your Secure Gateway server if it is in a separate network like a DMZ. One other thing check that the Windows firewall is set to allow inbound access to the XML service port, although this should be configured automatically with the XenApp installation. DNS must have been a little slow that day. Now we are getting the error “SSL Error 86: The security Certificate “” is not suitable for use in SSL connections”. My guess is that is because we do not have a secure cert. Question being, when we go to purchase a cert do we puchaser a regular cert with 1 domain name. Or do we get a UCC cert so both internal and external names will work?

• citrix secure gateway 3.2 manual, citrix secure gateway 3.2 manual download, citrix secure gateway 3.2 manual pdf, citrix secure gateway 3.2 manual free, citrix secure gateway 3.2 manual downloads.

Our site does not support Internet Explorer 9 (or earlier) versions. To use our site, please take one of the following actions: You can find more information here You can find information here You can find information here Citrix recommends applying the most up-to-date version of the software, which addresses the fix or enhancement being targeted. Later versions of the release may include multiple changes that address different areas including security vulnerabilities, code fixes, and enhancements. Installation of this software should only be performed on test or developmental environments. Any reported issues will require the most current revision of the software ( ).Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Our site does not support Internet Explorer 9 (or earlier) versions. To use our site, please take one of the following actions: You can find more information here You can find information here You can find information here Citrix recommends applying the most up-to-date version of the software, which addresses the fix or enhancement being targeted. Later versions of the release may include multiple changes that address different areas including security vulnerabilities, code fixes, and enhancements. Installation of this software should only be performed on test or developmental environments. Any reported issues will require the most current revision of the software ( ). It provides information to administrators about features, installation and setup, implementation, and deployment of the Secure Gateway. Search by entering one or more keywords in the search field above Since our founding almost fifteen years ago, we’ve been driven by the idea of finding a better way. A better way to provide authentication on the internet.

Am I supposed to Log into the CGS website with my domain user name and password? (If so, I am unable to do so.) Btw I am not using Xenapp but trying to use XenDesktop 4.0. lol. I apreciate your help. And I might have more questions to come! Thanks RC My suggestion would be to install the Web Interface component and test logging on to the WI website using a domain user and launch a published application before proceeding to install CSG. I’m not quite sure what you are saying that you are getting lost changing from HTTP to HTTPS.I shows a blank page. Strange. Thanks for your help again! The best advise I can give is to double check your access rules on your Sonicwall firewall as well as the software firewall on your Windows 2008 R2 servers and make sure all necessary ports are open (these should all be listed at the end of the article).I have a small farm on our secure network. I want the WI and the CSG on the same box in the DMZ which seems to be what you are doing. There is no mention of what needs to be done on the firewall seperating the DMZ from the secure network. I might be missing something clearly, but surely ports etc need to open in order for the WI to talk to the farm at all? If for some reason it doesn’t show up for you, I have pasted the section below. Good luck! Aaron I think need to add each of my XenApp Servers here, but when I do I get “The STA specified cannot be contacted” To be honest I would expect that, since how is a box in the DMZ able to see the STA boxes which are Domain Servers. On the very same issue, when testing, how is a user going to authenticate to the Domain when the Web Interface is in the DMZ. I think there is likely to be something very obvious I am missing, but I would love your help. Obviously this is not a configuration that you would want to expose to the internet. So you would need to make a configuration change in both management consoles. I know what to open as your document makes it pretty clear.

I haven’t tried using a UCC certificate yet with Secure Gateway so I’m not exactly sure if that would solve your issue. I am also in the process of setting up my Secure Gateway with a third party cert. It will be a regular single domain cert and I’m planning on using split DNS so that clients will connect using the same web address regardless of their location. I’ll be preparing an article on this soon! Thank you for posting all that you have. The only trouble I am running into is connecting external clients. We are not using a 3rd party cert yet (could be the issue). For testing purposes we would like to just use a domain cert we created if possible. Internally XENAPP works great. I even have a few users testing it out. Externally we can login to the xenapp website\portal. When we attempt to open an app we get 1 of the following errors. “SSL Error 86: The security Certificate “nameofmycert” is not suitable for use in SSL connections”.You may have been getting that error message if your external clients didn’t have the root certificate of your domain CA imported into their certificate store? I recently published an article about using a free certificate from a public CA with IIS: Now, how to forbid http? If this is the case there are a couple of options for you. You could use the Windows firewall on the server to prevent inbound access to port 80. One other option would be to configure IIS on the server to require HTTPS on the Web Interface website. I say this because by default XenApp selects 80 as the port the XML Service listens on, and it is extremely important that the XenApp server has this port reachable so that the Web Interface server can retrieve information such as the list of applications each user can access. If you followed my XenApp tutorial the XML Service would be configured on a different port, however. The tutorial I understand until I get to a certain point. I think I get lost when you changed the screen shots from HTTP to the HTTPS.

Or are the internal clients connecting differently than the external, using the Web Interface or directly with the Citrix Full Plugin icon? Same result. After installing CSG, HTTPS URLs fail, but HTTP URLs open the authentication page (kind of backwards from what CSG is supposed to be doing, I thought) Also where are your connecting clients located? One option starting off would be to set up a test environment with clients, WI, and XenApp all on the same LAN. Also it is possible that the Windows host firewall on the WI is interfering with the connection process, although in my experience the WI installation has automatically configured the necessary rules. Firewalls are disabled on the servers and clients. I apprechiate you responding, i think I’m good to go we will see. Glad everything worked out. Basically saying that internal dns name(myserver.myschool.local) doesn’t match the public certificate(home.myschool.org); which it doesn’t. This installation xa6 and wi5.3 is for remote access only, not for internal use. Your documentation was awsome, I’m just not sure what I did wrong. I can tell you that in my environment I am publishing to the Internet with a publicly available DNS name (with a matching certificate) and my servers have a different private DNS name.I also have my own CA server. I am getting the following error when trying to launch an app from WI: “The Citrix SSL server you have selected is not accepting connections.” How do I create an SSL cert that will match on WI and CSG? Is there any reason in particular that you do not want to have WI also installed on the CSG? You may need to configure an additional Gateway Direct option under Secure Access for your external clients. I can’t remember if Win 2003 CA is capable of this out of the box, but I’m pretty sure 2008 is. I read in the admin guide that it shouldn’t be an issue to have 2 separate servers. I see sessions in CSG. 6. Users connect externally through URL: 7.

I did install the CSG in the LAN and it had no problem recognising the STA’s as I would expect. I am still confused. Are you using ISA as your internal firewall, if so what steps did you follow on there. Surely if you are connecting through 443 you are going to need a cert on the firewall. It just seems that there is a peice of the puzzle missing. Your firewall should be able to pass 443 thru to another device without needing the cert installed, only if the firewall itself was the endpoint for 443 should it be needed. I’ll take a look at my configuration and see if my post is missing a port. You could also install Network Monitor or Wireshark on your CSG and monitor the network traffic that it attempts to send. Aren’t firewalls frustrating. Half the problems I encounter are generally seem to be firewall related, whether it be a network device or the software firewall on a host. But a necessary evil I guess. Also applications published in metaframeap servers can be accessed from the internet. If you have CSG and WI separated into different servers this may still work but I don’t have any experience with it. I think I will document my experience integrating these, I should have when I was first testing it out! So then i created XenDesktop which is all joined to the domain and authenticates via AD.Personally I would try and set up a completely new WI workgroup server without MetaFrame or any other roles and see if you can access your Metaframe and XenDesktop farms from that. That way you’d find out if Metaframe was interfering with the WI authentication to the XenDesktop farm. Hope that helps. I think i can’t add an additional WI in the SG and the relationship would be 1 WI to 1 SG and it cannot be 2 WI and 1 SG. But when we go to launch any app, it doesn’t work. Acts like it is, but it just goes back to the app screen. We have everything running on a single server currently. Any ideas?

I do have one question and forgive me if it was already answered above. Right now after all done, to reach the site from client browser, its.What you are looking for is an HTML Redirect. So basically create a file such as “c:\inetpub\wwwroot\index.htm” and make it’s contents something like this (make sure the meta tag is placed in between the head tags): Thank you for providing it. You helped me stand up a Citrix environment with no previous experience. I am trying to make applications available via Citrix Receiver for iPad. Any ideas on what I may be doing wrong. Thanks so much. I have experienced issues getting the published apps to start when there are problems with Citrix licensing. Also I have had similar issues when I attempted to access an app that was only published on a XenApp server that was down at the time, so you may want to double check that everything is connected and running properly. Also you may want to test with other types of clients to verify if it is something more general or just specific to the iPad receiver. I have encountered this issue on OS X and Linux clients, while on the Windows clients it was either included with the OS or it was imported automatically. But in this case I always received an error about the SSL certificate not being trusted. But I have it working correctly via the client Online Plug-In, so I am not sure what I have missed. I will keep investigating and see what I can come up with. Great job! I have 2 network cards with 2 different static IP. The first IP is for internal web interface only and the second IP is NATted with the public IP address for external web interface on 443 port. Both with TCP port 80 and the second site (External access) with SSL port 444.Any idea how to fix? I don’t believe that it is necessary to have 2 WI sites in your scenario, in the Web Interface site properties there are options available to differentiate between internally and externally connecting clients.

In particular, you can identify your internal clients by the source IP subnet to connect “Direct” and all traffic from all other subnets (your external clients) to connect via “Gateway Direct”. You should be able to specify all other subnets by setting Gateway Direct as the default option.Be careful with this though because you will have more CPU resources needed for all the HTTPS encrypting of your internal client connections (particularly if most of your clients are inside).IMHO this is the preferred option. That is, if you have the Windows server licenses and computer resources available. This is just for testing purpose and server is internal not in DMZ. I am able to launch the application if I set the secure Access as “Direct”. If I set the secure access as “Gateway direct.” I get an “ SSL Error 61: You have not chosen to trust “ server. XYZ.loca”, The issuer of the server’s security certificate.”. I have run into an error message like this with Mac OS X and Linux clients, the Citrix Receiver does not have as comprehensive a list of trusted CA certs and intermediate certs (if used) by default as Windows.You will want to make sure the URL that users enter and the common name on the certificate match exactly, although if you are able to access the web interface site with HTTPS without error that shouldn’t be the issue. Protocol Driver error.” From the Citrix web interface management console, I am able to create the XenApp service sites. But unable to connect from the Citrix Online Plugin. I am getting this error “Citrix XenApp could not contact the server entered. This may be because the server is down, there is an error in the configuration file from the server, or the details entered are incorrect. Please try again.” I have notice that virtual directories are not created on the IIS 7 for the pnagent. I have created the virtual directories for the pnagent, but still no luck. Please help. Thanks Aaron Thanks for following up!

Externally, when I try to launch an application from WI i get the following error: After following through them once, both internal and external access (including ssl cert) were all up and running.I am just stuck on this one last (and probably the biggest) problem. We have 1 xenapp6 server hosting the site, gateway and xenapp roles. We plan to add a second xenapp6 server to the farm once we are 100% online. We can access the site internall and launch applications. We can access the site externally but when we launch applications we get “There is no Citrix XenApp server configured on the specified address” error. I have gateway direct setup, and followed your directions but am stuck. I would really appreciate your help and thoughts.Thanks! Also, are you using different domain names to connect internally and externally. Having the IIS and the XML service sharing port 80 shouldn’t make a difference with the problems you are describing, as long as you have specified the default of port 80 when configuring the STA in the Web Interface and the Secure Gateway configs. Thanks for the visual. I’m stuck on the CSG, maybe you can point me in the right direction. WI and CSG installed on my webserver. Prior to installing CSG 3.2 I verified I could access the login page using http and https. After installing CSG I can access the the login page using and however when I try to connect using I receive Not Found HTTP Error 404. The requested resource is not found. Configured as specified in your article but must have missed something. I have it installed using 2 ips on one NIC for testing. The xenapp website is configured to a single ip instead of all unassigned. Wild card cert and using Gateway Indirect for secure access in the WI. Any assistance you can provide is greatly appreciated. Thanks, Ron I would check that the CSG service is running in the Services MMC as well as check the Secure Gateway logs.

Secure Gateway registers it’s own event log so I’d check there was well as the default Windows event logs. I am not sure if it would be related to having 2 NICs in your machine since I haven’t set one up in this manner but more than likely not. I can only access the secure site if I qualify with the. Any other ideas is greatly appreciated. I have spent almost a week working on this. I have worked with server 2003 and CSG 3.1. This is my first rendezvous with XEN 6. You help is greatly appreciated. Added all unassigned to the binding. Now I can get the login screen. Getting SSL server not excepting connections when running remoteapp and see bad ticket in the CSG logs. Reselected the STA and updated WI but still get the error. I’ll continue troubleshooting. Thanks again, Ron Everything works internally. I get the error “Citrix SSL Relay name could not be resolved (SSL error 40). I’d appreciate any pointers on how this is accomplished. I am a newbie with these web thing. Thanks. Basically your options are: For this to work it needs to be a domain that you control at the root level (subdomains from DynDNS won’t work).This solution isn’t very scalable and would require significant maintenance if you have a lot of clients. In my environment I have a dedicated virtual IP address on the load balancers forwarding port 443 to the CSG servers, and clients are able to connect to XenApp without problems. Then on the proxies I have a rule that maps the virtual IP and port 443 to my CSG servers. So basically it is a matter of getting DNS set properly. In my environment I didn’t need to configure anything on the proxies for SSL, basically I am just transparently forwarding the SSL requests on to the CSGs and decryption happens there. Of course if SSL is terminated at the proxy there would be more configuration involved. I tried to set up Haproxy with Stunnel to accomplish this at one point but I could never get it to function correctly.

From the Citrix web interface management console, I am able to create the XenApp service sites. But unable to connect from the Citrix Online Plugin. I am getting this error “Citrix XenApp could not contact the server entered. This may be because the server is down, there is an error in the configuration file from the server, or the details entered are incorrect. Please try again.” I have notice that virtual directories are not created on the IIS 7 for the pnagent. I have created the virtual directories for the pnagent, but still no luck. Please help. The receiver won’t support the wildcard cert. Mine was purchased through DigiCert, and they gave me a non-wildcard cert free of charge. Hopefully GoDaddy will do the same thing to help you. I had to install WI and CSG on a 2008R2 box only hosting these components. I want to put emphasis on the need to go through the “MAIN Install” Routine offered by the XA6 Installation media rather than using the “Install Components” or the standalone Installers. Thess do not install the Roleservices as required and you run into strange issues with IIS7. Once I read your article, I checked Roles and Features on my 2008R2 box, ran back to my Snapshot on ESXi, reinstalled both components from the Main Dialogue as supposed in your article. I’m a bit disappointed about that though. Citrix should put some hints into the Install Dialogues. I have a XenApp6 server (citrix1) and another server that I want to host the WI and CSG services (actual name web1, but has a dns record and ssl cert for citrix). My goal is to have users type citrix.domain.tld in the browser (or in pad, etc) and have everything go happily through 443. Currently I can log into the web interface and get a list off apps, but when I try to launch them the details shows it is trying to log into the internal ip and 1494. Normally in a single server environment I would expect to just change the WI secure access to alternate and use altaddr to add my public ip.

One of course the ip it is connecting to is wrong and two the port is wrong. What info can I give you to help me figure this one out? Whenever I try to connect form the outside I always get info for my internal IPs and port 1494 not the external IP and 443. If so, what are the steps? I’ve done this recently in my environment. I was working on a guide for this but got interrupted ATM. Hope that helps some and I’ll see if I can get around to publishing that SSL relay article. Users get a login error before seeing applications. CSG service is set on both servers to login as network service. I can login and see the published apps etc but recieve this message when launching an application. “Citrix SSL Server Can not be reached”. I have made sure all ports are open on the firewall. i.e. 1494, 443, 80. I am able to access the site externally and see all the published applications. If session realibility is enabled (gateway settings on WI) I am unable to launch the app. Error client sees is “cannot connect to the citrix Xenapp server. Protocol driver error”. When session reliability is unchecked then I am able to launch the app. I am using the latest client. SG 3.2.1, WI 5.4. Any ideas ? Contact your help desk with the following information; Cannot connect to the Citrix XenApp server. There is no Citrix XenApp server configued on the specified address”. Doing this allows gateway to function post reboot without going back through the config. I was wondering how many certificates I need for the infrastructure Citrix infrastructure. Is that because i don’t have my certificates in place? What is the different with the CSG? It was very helpful to me in establishing my own single server setup. One thing id like to note, is that when securing the access on the Xenapp websites, I was getting SSL Relay error 40 constantly. I did a ton of troubleshooting, but believe it or not, turning ON session reliability actually stopped the error from occurring.

I just finished a test from an external pc, and im actually routing through the CSG and able to run apps. Again, thanks a TON for the write-up! ( i accidentally posted this on another of your write-ups!) What is the right way to do that? Thanks a lot. Anytime you are in Orange COunty CA I would gladly buy you beer The WI was installed on 2008 R2. Can you tell me how do you fixed? Notify me of new posts via email. To find out more, including how to control cookies, see here. For an explanation of how this works (i.e. traffic flow), see Understanding Horizon Connections at VMware Tech Zone. Advantages include: However, you might want extra Horizon Connection Servers so you can filter pools based on tags. No need for IPSec or 4001 or the other ports. You still need 4172, 22443, etc.But you might need some Linux skills during troubleshooting. But some of the newer Blast Extreme functionality only works in Unified Access Gateway (Access Point) 2.9 and newer. See Configure the Blast Secure Gateway at VMware Docs. You usually want the non-FIPS version. UDP 4172 must be opened in both directions. In vSphere Web Client, go to the Datacenter object.Click Next. The PowerShell script is updated as newer versions of Unified Access Gateways are released. This is the recommended method of deploying Unified Access Gateway. If this VM name already exists in vCenter, then OVF Tool will delete the existing VM and replace it. Don’t enter an actual password. OVF Tool will instead prompt you for the password. If spaces, there’s no need for quotes. For example:Make sure you enter a local path (e.g. C:\). OVA Source File can be UNC, but the.pfx file must be local. If the DNS name ends in.local, then see 78611 DNS Related Troubleshooting With Unified Access Gateway 3.7 and newer which is based on Photon 3 and Roderik de Block VMware UAG not using DNS. For multiple UAGs, the FQDNs and public IP address should resolve to the load balancer.

Note: your load balancer must support persistence across multiple port numbers (443, 8443, 4172). There’s no need to power off the old appliance since the OVF tool will do that for you. Press to run the script. Make sure the password meets password complexity requirements. Make sure the password meets password complexity requirements. Special characters in the vCenter password must be encoded. Use a URL encoder tool (e.g. ) to encode the password. Then paste the encoded password when prompted by the ovftool. The UAG passwords do not need encoding, but the vCenter password does. Before deleting the older appliance, export your settings: Note: the HTML5 UI client in vSphere 6.5 Update 2 and newer might work for single NIC.In the Open window, browse to the downloaded euc-unified-access-gateway-3.10.0.0.ova file, and click Next. See DMZ Design for VMware Unified Access Gateway and the use of Multiple NICs at VMware Communities. Click Next. UAG typically goes in the DMZ. Note: HTML5 UI vSphere Web client displays the settings in a different order than the Flash vSphere Client. Scroll down. Scroll down. It might take a minute or two before the admin page is accessible. If the DNS name ends in.local, then see 78611 DNS Related Troubleshooting With Unified Access Gateway 3.7 and newer which is based on Photon 3 and Roderik de Block VMware UAG not using DNS. Point your browser to the internal Horizon View Connection Server FQDN (load balanced), and click the padlock icon to open the certificate. Press the arrow keys on the keyboard to find it. Then delete the hidden character. The IP should point to your external load balancer that’s load balancing UDP 4172 and TCP 4172 to multiple Unified Access Gateways. See VMware 78419 Unified Access Gateway (UAG) high CPU utilization. ?? On NetScaler, this feature is called Persistency Group. On F5, the feature is called Match Across. Or expand View Configuration, and click Servers.

Also see 2144768 Accessing the Horizon View Administrator page displays a blank error window in Horizon 7. You’ll use this name later. Or in Horizon Administrator, on the left, expand View Configuration and then click Servers. See Configuring Authentication in DMZ at VMware Docs. It defaults to 10 hours. See Unified Access Gateway High Availability at VMware Docs.This PFX file certificate must match the Public FQDN (load balanced) for Unified Access Gateway. If not running Unified Access Gateway 3.0 or newer, then certificates created on Windows (PFX files) must be converted to PEM before they can be used with Unified Access Gateway. You can use openssl commands to perform this conversion. The private key should be unencrypted. The server certificate is on top, the intermediate certificates are below it. The server certificate must match the public FQDN (load balanced) for the Unified Access Gateway. The feature requires an OPSWAT subscription. The OPSWAT agent is deployed to endpoints out-of-band. And the YouTube video Endpoint Compliance Checks: New VMware Horizon Security Feature. Horizon Client downloads the executables from UAG and runs them. See Upload OPSWAT MetaAccess on-demand agent Software on Unified Access Gateway at VMware Docs. ?? If you need to rebuild your Unified Access Gateway, simply import the the JSON file. Horizon Clients should also work to the Unified Access Gateway URL. You can less these logs from the appliance console. This will download a.zip file with all of the logfiles. Much easier to read in a GUI text editor. I don’t see any setup documentation with regards to our exact scenario? I have not found a definitive document on what is needed in terms of ports. From that I have tcp:443 going to the connection server(s). What am I missing? Thanks. Blast might also work. I may not have mentioned but the desktop is physical. Thanks.