| Citrix Secure Gateway for Windows is designed to allow you the ability to deploy applications securely from anywhere, anytime or any connection without the need for expensive VPNs and cumbersome clients. Secure Gateway is designed to work with NFuse Classic to provide a single, secure, encrypted point of access through the Internet to MetaFrame servers on internal corporate networks. If Secure Gateway is used for internal or remote access, the service transparently encrypts and authenticates all ICA connections to protect against data tampering and theft. The Citrix Secure Gateway application consists of two software components that must be installed on separate servers: Secure Ticket Authority (STA) System Requirements: Microsoft Windows 2000 Server with Service Pack 2 256MB RAM Network Interface Card (NIC) Internet Information Server 5.0 (IIS) install and configured Citrix Secure Gateway Service (CSG) System Requirements: Microsoft Windows 2000 Server with Service Pack 2 256MB RAM Network Interface Card (NIC) Additional 150MB hard drive space NFuse System Requirements: Citrix Secure Gateway is natively supported by NFuse 1.61 and NFuse Classic 1.71 and earlier versions of NFuse work with the help from Project Columbia 6.01. ICA Client System Requirements: To take full advantage of all the secure access features that Citrix Secure Gateway offers, I recommends using ICA Client software, Version 6.30 or later. They will also need a web browser and the appropriate mechanism for installing root certificates. The following is a list of tasks needed to be completed in order to successfully install Citrix Secure Gateway: Install, configure and test a secure NFuse web server as documented above. I highly recommend you read the Citrix Secure Gateway Administrators Guide and the Installation Checklist found in the Citrix MetaFrame XP for Windows with Feature Release 2 Components CD. Select server(s) that meet the minimum requirements for each component (CSG and STA). Obtain a SSL certificate for the CSG server(s). Create DNS CNAME records to point to the STAs and CSGs. Print, re-read and fill out the Installation Checklist. If there are any sections you do not understand, please refer to the CSG Administrators Guide. Install the STA component. Install the CSG component. Configure NFuse to utilize CSG.
The first component you will need to install is the Secure Ticketing Authority (STA). The STA functions as a ticketing authority that issues tickets for ICA Clients. These tickets form the basis of authentication and authorization for ICA connections to a MetaFrame server. The STA is an ISAPI (Internet Server Application Program Interface) DLL and must be installed on a Windows 2000 server running IIS 5.0. The following details how to do a typical install of the STA service. 1. Verify the IIS is installed and working properly. 2. Insert the MetaFrame XP Components CD and when the Citrix MetaFrame XP Components pop up opens click the Citrix Secure Gateway button. 
3. Click the Secure Ticket Authority button 
4. Click Next to continue. 
5. Click the I accept the license agreement radio button and click Next. 
6. Click Next to continue. 
7. You are now prompted to select the location of web servers script directory. If you have changed the default location then you need to reflect the change. Click Next to continue. 
8. Click Finish to install the STA service. 
9. Click Next to accept the default typical configuration. 
10. If this is your first STA server then I highly recommend accepting the default STA ID if not then accend the number by 1. i.e, STA02, STA03 
11. Click Finish to restart the STA service and complete the installation. 
You have now successfully configured the STA component and are ready to install the CSG service on another server.
The Secure Gateway Service is a component that functions as an Internet gateway between ICA Clients and a MetaFrame server farm. The Secure Gateway Service runs as a Windows 2000 service and must be installed on a machine running Windows 2000 Server. The following details how to install the CSG service on a Windows 2000 server. 4. Insert the MetaFrame XP Components CD and when the Citrix MetaFrame XP Components pop up opens click the Citrix Secure Gateway button. 
5. Click the Secure Gateway Service button to install the CSG service. 
6. Click Next to continue 
7. Click the I accept the license agreement radio button and click Next to continue. 
8. Click Next to continue. 
9. Click Finish to install the CSG component. 
10. Click Next to accept the default typical configuration. 
11. Select the server certificate that you will be using. If you have more than one of the server then click the View button and view the details of the certificate to verify you are using the correct server. Click Next with finish. 
12. You are now prompted to add the STAs that you will be utilizing. Click Add to enter the STAs. 
13. Enter the FQDN or IP address of a STA that was configured above, edit the STA identifier if needed, and click OK. 
14. You are brought back to the Add STA details screen. If you have additional STAs to configure then click add and repeat step 10. Click Next when finish. 
15. Specify the IP addresses that that CSG will monitor and the specified TCP port number. When finished click Next. Note: In most cases, you will accept the default port but if you are implementing CSG through a port sharing firewall and have configured the CSG service on the same server as IIS then you will need to change the port number to avoid conflicts. This requires opening the specified port on the firewall. 
16. Select the appropriate system Even Log logging settings and click Next. 
17. Click Finish to Restart the server and complete the installation of the Citrix Secure Gateway service. 
Now that we have configured the CSG components, we are ready to turn your attention to NFuse. NFuse provides the Web frontend that ICA Client users connect to, and supports the ticketing and authentication functions of Secure Gateway. The following details how to configure NFuse 1.71 to utilize Citrix Secure Gateway. 1. Open the NFuse Web Administrator (http://nfuseserver/citrix/nfuseadmin) 2. Click the Server-Side Firewall link 
3. You now presented with the Server-side firewall settings page. Click the Citrix Secure Gateway radio button in the Default address translation setting section to set CSG as the default method for ICA session traffic. 
4. One of the new features of NFuse Classic 1.71 is that it allows you to specify specific address translation settings per IP network. If you would like to set a specific IP network to utilize a different address translation than the default then you will need to enter the IP network number in the Client address prefix text box select the address translation Option radio button and click Add. 
5. Click Save when finished. 6. Click the Server-Side Firewall link and scroll down to the Secure Gateway server section of the page. 
7. Enter the FQDN address of the server running the CSG component in the Address (FQDN) text box. 8. Enter the port the CSG component is listening on in the Port text box. 9. If you have a firewall configured to perform network address translation between the CSG box and the MetaFrame server then you will need to check the Use alternate addresses of MetaFrame servers checkbox. 10. In the Secure Ticket Authorities URL text box enter the NETBIOS name of the server running the STA component in place of <server> and click the Add button. 11. Repeat step 10 in order to add STA server for high availibility. If you will be using multiple STAs then I recommend to check the Use the Secure Ticket Authority list for loal balancing checkbox to enable round robin load balancing. 12. Click Save when finished. 13. Click the Apply Changes link. 
14. Click the Apply Changes button take advantage of the above changes and the Citrix Secure Gateway. 
You have now successfully implemented Citrix Secure Gateway in order to secure the ICA session traffic.
The following are a basic list of common issues encountered during a Citrix Secure Gateway installation. Common Errors: q Error 61 - Check Server and Root certificates and verify you are using the latest ICA Client v6.30. q Cannot load the Citrix ICA client drivers.[Error 1034:Communication I/O Error]-General communication error. Check Installation configuration, IP, Name, Certificates q The Citrix SSL Server you have selected is not accepting connections - Check the Installation configurations for Gateway and NFuse web servers. You might need to Re-install NFuse components. SSL Errors: "Security alert: The name on the security certificate does not match the name of the server (SSL error 59)." The ICA Client is attempting to connect to the server using its NetBIOS name, IP address, or a fully qualified domain name (FQDN) that does not match the subject of the server's certificate. To connect successfully, the ICA Client must connect using the DNS name of the server exactly as it appears on the server certificate. In NFuse scenarios, you must set AddressResolutionType=dns or dns-port in nfuse.conf and enable DNS name resolution on the farm properties panel in the Citrix Management Console.
"The server certificate received is not trusted (SSL error 61)."
The required CA Root certificate is not installed on the client device. In most cases if you are using a well-known public certification authority such as Verisign, Baltimore, Thawte, GeoTrust or RSA, the required root certificate already exists on the client devices. However, if you are using your own certificate server to generate server certificates, or if you are using a trial certificate from a CA, you need to install the CA Root certificate on all client devices for them to connect. For more information about CA Root certificates and why they are necessary, read the white paper entitled Using the Citrix SSL Relay.
"The connection was rejected. The SSL certificate is no longer valid. Please contact your Citrix Administrator (SSL error 70)."
The server certificate installed on your MetaFrame server is not yet valid or has expired. SSL server certificates typically have a fixed set of valid dates, and both the client device's system clock and the server's system clock must be set to a time that falls within that range for an SSL connection to succeed. (A common problem encountered when using Microsoft Certificate Services to generate digital certificates in-house is that the period of validity may not begin until the day after the certificate is generated.) To determine the validity date of your server certificate, double-click the certificate file and inspect the Valid from and Valid to fields. |